Twitter announced that for the past few months all of its users’ passwords have become unmasked. That means that if anyone breached the company’s servers during this time, they could have seen all of its users’ plaintext passwords.
Normally, user passwords are encrypted and “hashed” (turned into a random string of characters, based on a cryptographic algorithm) to make sure attackers can't see the actual password after a data breach. Using this technique, the service can also validate a user login without revealing their password, because it only needs to cryptographically check if the password the user inputs in the text box matches the password hash.
According to Twitter, the unmasking of users’ passwords was caused by a bug, which Twitter said it discovered on its own. However, Twitter employees seem to have discovered it days after GitHub seems to have experienced the same sort of software flaw.
Earlier this week, GitHub sent an email to some users stating the following:
During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way.
Change Your Password Now
Twitter is now asking users to change passwords both for Twitter and for any other service where they may have used the exact same password, just in case someone may have stolen them in the time the passwords were unmasked. However, the company said it has found no evidence of a recent data breach.
Even though the National Institute of Standards and Technology (NIST) has recommended the deprecation of SMS authentication because it’s not secure, Twitter continues to rely on it for both two-factor authentication and password resets. This means anyone’s passwords could potentially be retrieved by malicious actors either by impersonating them to their carriers or by hacking the SS7 system that interconnects carrier towers. Twitter users are not given the choice to disable SMS codes for password resets or to use an alternative for two-factor authentication such as U2F hardware tokens or app authenticators such as Google Authenticator or Authy.