[tryp4vps]

In the last few days, I continuously receive email notifications from Twitter alerting me to change the passwords of my Twitter accounts (I have quite many of them).

It is found that Twitter had user passwords written to an internal log in plaintext.

https://www.zdnet.com/article/twitter-sa...plaintext/

The bug had been there for "several months" already. So, apparently all Twitter accounts should be affected by this bug.

If you guys have any Twitter account but still have not received their email notification yet, do go change your password immediately.

[IEpicDestroyer]

If anyone's looking for their email to read, I got a copy of it for everyone to read:
 
Hi @username,

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

About The Bug

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
 
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Tips on Account Security

Again, although we have no reason to believe password information ever left Twitter's systems or was misused by anyone, there are a few steps you can take to help us keep your account safe:
 
1. Change your password on Twitter and on any other service where you may have used the same password.
2. Use a strong password that you don't reuse on other services.
3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
4. Use a password manager to make sure you're using strong, unique passwords everywhere.


We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.

Team Twitter


It's another disappointment that another social media site has this sort of bugs again.  At least this time the data wasn't leaked publicly onto the internet, just onto internal logs.  But I'm wondering why it took so long for them to discover the bug as they would probably periodically check their logs to see if they find anything odd.  They probably can't check all of it but they probably will selectively choose some to review and double check for any sort of problems.

[deanhills]

Think I need someone to explain this to me. How many millions of members does Twitter have? I'd think Twitter Accounts that belong to celebrities or members who are high flyers or just making waves would be at risk, but exactly how does it effect the one in a few million accounts like mine?

Am I missing something. Like would hackers then be able to tackle the millions with bots or something?

I've always thought Twitter is safe. Especially after the last few years it's made it much more difficult to access an account. Great that it made the announcement as it shows integrity to do so. But could it be it's a bit overstated. Also maybe even good for Twitter as it's getting lots of press - even if it is negative press.

[xdude]

Well 99% people don't keep highly critical data like Credit card details in Twitter accounts. What can be compromised are phone numbers, email addresses and twitters. These days most Celebs don't use their real phone numbers or email for social media. Biggest problem for these big accounts is it can compromise privacy of those Direct massages happened between various parties. Also hackers can DM other people from these compromised account and do damaging things which could lead to even more serious things like blackmailing. Like a big celeb DM you and ask you something. If it's from offical account you tend to believe it.

Another thing is tweets. A hacker might just push harmless advertising tweets trying to make a buck or they would do something to damage persons reputation. Like if Trumps Twitter account get compromised by ISIS hackers.

But the most common thing usually happen is hackers selling those contact detail data bases to advertising firms.

[Khadeer143]

Its command every social sites ,apps will sell the users data to anyone for money they don't keep it privacy recently fb owner mark also leaked data so don't trust any sites or apps lmao...

[Littlemaster]

Ridiculous self destructive announcement made by a company, I feel this vulnerability was made by their own team who works in the background of scripts, they might had made it for developmental purposes to check the hashing technology and given less focus to remove the storing function, bcrypt is good for hashing. I hope they removed the passwords without taking backups.

[tryp4vps]

Think I need someone to explain this to me. How many millions of members does Twitter have? I'd think Twitter Accounts that belong to celebrities or members who are high flyers or just making waves would be at risk, but exactly how does it effect the one in a few million accounts like mine?

Am I missing something. Like would hackers then be able to tackle the millions with bots or something?

According to their report, Twitter had 330 million users in February.

It may affect you unless you don't mind your account going to be controlled by unknown bots.

And I hope you're not like many other people who are still using the same set of emails and passwords for different websites.

Imagine if there is any hacker really acquires that 330 millions Twitter credentials, he will likely use them to try logging into other sites like Facebook, Instagram, Gmail, Outlook etc.

[deanhills]

@tryp4vps I've never been big on the social media. I don't have an account in my own name, and I rarely get on, unless a Forum that I'm involved in asks for helping with "like" and such, but then I sign up with my Forum name.

I have a deep distrust of social media. I think it adds a distraction element that distracts from living real and mixing with normal people.

[tryp4vps]

@deanhills

It all depends on how you use the social media.

For example, I just use my Twitter accounts to help promote my blogs. So if you use the social media in the right way, it can add values to real life projects and won't be a distraction.

@Littlemaster

Saying it a ridiculous self-destructive announcement is perhaps inappropriate. Bear in mind that Twitter is a publicly listed company. According to the relevant Securities Listing rules, Twitter management has the responsibility to disclose any price-sensitive information, no matter they want to do it or not, and no matter it is destructive or constructive.

[Golden]

It happens occasionally to Twitter. My old accounts from 2011 are occasionally hacked because of Twitter. I stopped using Twitter thereafter.