Twitter’s 330 million users were warned on Thursday by the microblogging site to reset their passwords, thanks to a new bug discovered.
The social network discovered the bug where passwords were stored unmasked in an internal log. “When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log,” the company’s Chief Technology Officer (CTO) Parag Agrawal posted on the company’s blog explaining why users would have to change their passwords.
Without indicating how many passwords were affected, Twitter said its internal investigation had found no indication passwords were stolen or misused by insiders but suggested that users should change their passwords "out of an abundance of caution".
While admitting that they were exposed for "several months", the social media giant said that the affected number was "substantial". "We are very sorry this happened," the company said on its blog. "We recognise and appreciate the trust you place in us, and are committed to earning that trust every day."
Jack Dorsey tweeted confirming the “bug” had been fixed.
Security expert Per Thorsheim, who regularly advises businesses about the best password practices, told the BBC that Twitter should be "applauded for its transparency".
"The problem they discovered is known since the dawn of logins with passwords," Thorsheim said. "The chance of passwords (or failed passwords) getting logged, in plain text logs available for staff or in worst case, complete strangers, is well known."