Twitter announced a critical security bug that has been identified in the service and is now prompting users to change their passwords. The problem lies in the way the account login passwords are stored in the internal database.
Change Your Twitter Passwords Now! The security bug is rated critical
Twitter as one of the foremost social networks is certainly one of the largest gatherings of users and their credentials. It has caused massive uproar among the security community and the general public when it announced a few hours ago that a dangerous security bug has been identified. The news broke when users attempted to login to their accounts and were presented with a message prompting them to change their passwords. The development team posted about this issue in an official post as well.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
It appears that a problem was found in the way the passwords are stored. The team found out that an issue with their system allowed passwords to be stored without being “masked” properly. Masking refers to the way sensitive information are stored in an internal database. The usual route is to manipulate the strings using a special “hashing” algorithm that changes them into a random mix of letters and numbers. This is used in order to protect them from the company employees themselves. During an evaluation the team discovered that this step was not being executed in the proper way. As a result many passwords were stored in an internal log file and the actual hashing algorithm was not being launched by the storage services. Twitter state that they have fixed the issue and so far there are no reported cases of abuse.
Following standard security practices the service has issued a warning to all of their users to change their passwords and revoke the strings if they are used with other Internet services. To ensure that no unauthorized attempts are made to the user accounts the Twitter staff also recommend that two-factor authentication is enabled. For easier management of strong credentials computer users can also employ password manager software.
Such incidents can lead to serious accounts abuse if there are any traces left of the passwords in backups or archives. The chances of them being accessed by malware actors remain slim as they are usually placed in different locations following security standards.