Twitter Exposes Everyone’s Passwords Due To Software Bug

Twitter announced that for the past few months all of its users’ passwords have become unmasked. That means that if anyone breached the company’s servers during this time, they could have seen all of its users’ plaintext passwords.

Twitter’s Bug

Normally, user passwords are encrypted and “hashed” (turned into a random string of characters, based on a cryptographic algorithm) to make sure attackers can't see the actual password after a data breach. Using this technique, the service can also validate a user login without revealing their password, because it only needs to cryptographically check if the password the user inputs in the text box matches the password hash.

According to Twitter, the unmasking of users’ passwords was caused by a bug, which Twitter said it discovered on its own. However, Twitter employees seem to have discovered it days after GitHub seems to have experienced the same sort of software flaw.

Earlier this week, GitHub sent an email to some users stating the following:

During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way.

Change Your Password Now

Twitter is now asking users to change passwords both for Twitter and for any other service where they may have used the exact same password, just in case someone may have stolen them in the time the passwords were unmasked. However, the company said it has found no evidence of a recent data breach.

Even though the National Institute of Standards and Technology (NIST) has recommended the deprecation of SMS authentication because it’s not secure, Twitter continues to rely on it for both two-factor authentication and password resets. This means anyone’s passwords could potentially be retrieved by malicious actors either by impersonating them to their carriers or by hacking the SS7 system that interconnects carrier towers. Twitter users are not given the choice to disable SMS codes for password resets or to use an alternative for two-factor authentication such as U2F hardware tokens or app authenticators such as Google Authenticator or Authy.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • therealduckofdeath
    FSB: "Would you be able to give us all the passwords?"
    Twitter: "Sure, because we don't have any ethics."
    (It's funny because it's not unlikely to be untrue)
  • bit_user
    In an era when tweets can start wars, this is just awesome.

    I remember when Obama took office, they told him he had to give up his iPhone for a special, secure Blackberry. Someone needs to pry twitter out of PotUS' hands.
  • irfbhatt
    Well) The service must be more secure!
  • bit_user
    > mapesdhs voted down for this answer May 6, 2018 4:59:43 PM

    Someone seems to have missed the sarcasm...