Lucas Jackson / Reuters
Twitter on Thursday advised all 330 million of its users to change their passwords after a software bug caused the passwords to be stored in an unencrypted way for an unspecified period of time.
So should I change my Twitter password?
Probably! But if you're wondering if Twitter's problem is a huge deal, it is not so egregious as, say, the Equifax data breach that exposed extensive amounts of people's personal financial information. For one thing, Twitter said that no one has inappropriately accessed the user passwords.
And even Twitter is framing changing your password as something you can decide to do rather than something you MUST do immediately. In a tweet, the company referred to changing your password as a “precaution” rather than an imperative. Company executives also called it a “decision” as opposed to an obligation.
“We are sharing this information to help people make an informed decision about their account security,” Twitter's chief technology officer Parag Agrawal said. “We didn't have to, but believe it's the right thing to do.”
(Agrawal walked back his comments about not being obligated to share the information about the storage bug minutes after he posted.)
Outside security experts agree.
“This situation is somewhere between a low-to-medium level security issue. It raises way more questions than it actually answers, but a password leak that only happens internally and not out on the entire internet is a much more ideal situation to be in,” said Jessy Irwin, head of security at Tendermint.
Twitter also allows you to skip changing your password when it notifies you in your browser or the Twitter app.
So what actually happened to the passwords?
This whole thing is about how tech companies store passwords, which involves a lot of very hard math, but is not a complicated concept.
Say my Twitter password is Password123 (1, it isn't; and 2, this shouldn't be your password for anything!!). Even though I enter it as Password123, Twitter's systems and employees see what I wrote as a jumbled string of numbers and letters like 64eyb95exmp. That change is a process called hashing, and the jumbled version is called a hashed password. When I enter my password, it goes to Twitter through a bunch of code and appears as the scrambled version rather than what I've actually written, which allows me to log in without someone on the other end of the internet being able to steal my password.
So what went wrong?
According to Twitter, the company stored people's passwords in an “unmasked” way in an internal log, which means they were stored as I would see them when I'm logging in. So instead of 64eyb95exmp, people looking at one specific database at Twitter would see my password as Password123 (again, do not make this your new password).
That means if someone broke into Twitter's databases, they would easily be able to steal your account by just copying and pasting your password. Twitter said no one outside or inside the company did that, which is good!
We don't know how many people at Twitter had the ability to see the unencrypted passwords in the first place or what in the hashing process went wrong. Twitter's internal security policies would dictate which employees, likely engineers, would have access to the logs. But again, Twitter said no one saw them who wasn't supposed to.
“The info was in an internal log in an obscure field, so unlikely anyone would have seen,” said Twitter spokesperson Liz Kelley.
Kelley said an internal investigation into the bug is ongoing, but wouldn't say how long the passwords had been exposed.
Twitter advised people to take four steps to protect their accounts:
- Change your password on Twitter and on any other service where you may have used the same password.
- Use a strong password that you don’t reuse on other websites.
- Enable login verification, also known as two-factor authentication. This is the single best action you can take to increase your account security.
- Use a password manager to make sure you’re using strong, unique passwords everywhere.
What's your new Twitter password? Sound off in the comments!
(But don't actually do that.)