Twitter on Thursday advised all 330 million of its users to change their passwords after a software bug caused the passwords to be stored in an unencrypted way for an unspecified period of time.
Probably! But if you’re wondering if Twitter’s problem is a huge deal, it is not so egregious as, say, the Equifax data breach that exposed extensive amounts of people’s personal financial information. For one thing, Twitter said that no one has inappropriately accessed the user passwords.
But even Twitter is framing changing your password as something you can decide to do rather than something you MUST do immediately. In a tweet, the company referred to changing your password as a “precaution” rather than an imperative. Company executives also called it a “decision” as opposed to an obligation.
“We are sharing this information to help people make an informed decision about their account security,” Twitter’s Chief Technology Officer Parag Agrawal said. “We didn’t have to, but believe it’s the right thing to do.”
(Agrawal walked back his comments about not being obligated to share the information about the storage bug minutes after he posted.)
Twitter also allows you to skip changing your password when it notifies you in your browser or the Twitter app.
This whole thing is about how tech companies store passwords, which involves a lot of very hard math, but is not a complicated concept.
Say my Twitter password is Password123 (1, It isn’t, and 2, this shouldn’t be your password for anything!!). Even though I enter it as Password123, Twitter’s systems and employees see what I wrote as a jumbled string of numbers and letters like 64eyb95exmp. That change is a process called hashing, and the jumbled version is called a hashed password. When I enter my password, it goes to Twitter through a bunch of code and appears as the scrambled version rather than what I’ve actually written, which allows me to log in without someone on the other end of the internet being able to steal my password.
According to Twitter, the company stored people’s passwords in an “unmasked” way in an internal log, which means they were stored as I would see them when I’m logging in. So instead of 64eyb95exmp, people looking at one specific database at Twitter would see my password as Password123 (again, do not make this your new password).
So if someone broke into Twitter’s logs, they would easily be able to steal your account by grabbing your password. Twitter said no one outside or inside the company did that, which is good!
A spokesperson for Twitter said an internal investigation into the bug is ongoing, but wouldn’t say how long the passwords had been exposed.
- Change your password on Twitter and on any other service where you may have used the same password.
- Use a strong password that you don’t reuse on other websites.
- Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
- Use a password manager to make sure you’re using strong, unique passwords everywhere.
(But don’t actually do that.)