Twitter has urged all users to consider changing their password. The advice is coming on the heels of a bug which Twitter say “stored passwords unmasked in an internal log.”
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.
Though, Twitter has said no evidence points to a breach or misuse, it nonetheless advises you to consider changing your password. It doesn’t end there; the company also strongly recommends that you change your password on all services where the same password has been used.
Among several options you can use to update your password, Twitter recommends the following:
- Change your password on Twitter and on any other service where you may have used the same password.
- Use a strong password that you don’t reuse on other websites.
- Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
- Use a password manager to make sure you’re using strong, unique passwords everywhere.
Not the first time Twitter is having this kind of issue though. In 2016, the company fingered malware as being responsible for leaked passwords and usernames of users on its network.
What happened wasn’t exactly a breach of the platform according to Twitter, but a possible malware attack or something else other than what we thought at first.
Twitter’s response could best be described as swift—the microblogging platform did not only deny a breach had taken place, it gave vital tips to help users out just like it did today. It also provided information on what could have led to the password and username leak.
Not a breach at least—but passwords and @names were traded on the “dark web,” which gave us cause to worry about. To secure accounts and protect its users, Twitter took a couple of measures, including locking suspected accounts and or sending emails to them to reset passwords.
Could there have been a better means of solving a problem like this? Maybe yes—refusing to use similar password over multiple websites is one of them. This has always been a big issue for a lot of people online—the LinkedIn data breach that same year easily comes to mind.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner, wrote Twitter’s Trust & Information Security Officer Michael Coates.