Another day, another data breach. This time at the expense of Twitter.
The company disclosed that around 336 million user accounts were at risk on its platform. An internal bug on their servers exposed a multitude of passwords in plain text.
Twitter resolved the issue quickly though. And their security team found it unlikely for the sensitive info to fall into the wrong hands. No leaks. No misuse.
Case closed, right?
Twitter took damage control a step further. They notified users what happened with a full screen alert after logging in. They also advised to change passwords as a safety precaution.
Hats off. While other companies shun reports on data breach, Twitter stepped forward, admitted its mistake, and was forthright about the issue.
Some organizations’ security teams will deny any involvement if their jobs are at stake. Yet, here’s a large social network owning up to an error and doing something about it.
The disclosure of cybersecurity issues is vital, as consumers and governments push companies to admit their mistakes quickly.
Companies have to comply with the strict new privacy regulations in Europe, called GDPR, if they still want to do business in the region. It will take effect May 25 and needs companies to report data breaches faster.
Technically, no breach happened. Twitter fixed the issue before third parties could take action.
CEO Jack Dorsey highlighted how important it is to be open in a tweet from his own account.
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00
— jack (@jack) May 3, 2018
Twitter, however, did not disclose how many passwords were stored in plain text on its systems.
The industry standard is to store passwords in hashed or encrypted form. That way, even Twitter employees cannot use them.
Hashing converts a Twitter password from plain text to a unique string of random numbers and letters. Then, Twitter’s server houses it, among millions of other strings, securely.
When a user logs in, Twitter’s algorithm will turn the password the user typed in into a combo of numbers and letters. The algorithm compares the combo or key with the one stored in Twitter’s servers. If the key matches the lock, the user can enter his or her account.
While we recommend Twitter’s handling of the potential data breach, questions linger on how it ever happened.
For years now, companies have used hashing as the default way to encrypt passwords. Yet, someone at Twitter slipped up. Bug or not, the company has to investigate further who is responsible.
Twitter CTO Parag Agrawal apologized Thursday when he said that Twitter did not have to share details of the issue.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd
— Parag Agrawal (@paraga) May 3, 2018
In the end, we relearned a lesson: change your passwords regularly.