Twitter Urges Its 330 Million Users to Change Their Passwords Due to a Software Bug
It was World Password Day yesterday. We were supposed to celebrate good password management and teach people how to do it. Twitter decided to chime into the celebration… by urging all 330 million of its users to change their passwords.
Twitter found a nasty bug that might have exposed users' passwords
On Wednesday, people trying to go through their Twitter feeds suddenly started receiving worrying notifications. Apparently, the microblogging platform had found out that because of a bug, users' passwords had been stored in plain text format for an unknown period of time. A blog post from Parag Agrawal, Twitter's CTO, said that usually, all the passwords are hashed with an algorithm known as bcrypt before being stored, but for some reason, at least some of the users' passwords were written in a log file before the hashing. Agrawal assured everyone that the passwords were deleted as soon as they were discovered, and he also said that there's no evidence suggesting that sensitive data left Twitter's systems.
Nevertheless, "out of an abundance of caution," he advised everyone to change their passwords. Should you heed his words? Of course you should.
How to change your Twitter password
- Make sure you're logged in to your account. Click your profile picture in the top-right corner and go to Settings and Privacy.
- Select the Password tab from the column on the left which leads you to the form that lets you change your password.
- Enter your current password in the first field. If you don't remember it, click the Forgot your password? link and follow the instructions.
- Enter your new password in the second field and confirm it in the third one.
- Click Save changes to complete the process.
With that, your Twitter password is changed, but while you're here, you could do worse than enable Two-factor authentication, or, as Twitter calls it, Login verification. Go to the Account tab, click the Set up login verification button, and follow the instructions. This will ensure that even if someone has your password, it alone won't be enough to successfully hijack your account.
Did you reuse your Twitter password on other websites?
In his blog post, Agrawal urged users to think about whether they've reused their Twitter passwords on other websites, and he said that if they have, they should go to these websites and change it there as well. We've talked time and again about how dangerous password reuse could be, and this is yet another case in point.
Did someone leak the passwords?
It's too early to say. Details are still scarce, and although Twitter did say that the data hasn't been accessed from outside of its systems, this doesn't necessarily mean that it won't end up in a public database in the future.
In any case, the better-safe-than-sorry approach Twitter's CTO suggested is the one you should embrace.