Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text

Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.

Re:Why do they have the fucking passwords!?

[sremick]

You could, of course, just read the blog post to get your answer. But since you're not only an anonymous coward, but a lazy and/or incompetent one as well:

"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process."

Re:Why do they have the fucking passwords!?

[darkain]

To clarify this: when a user logs in, they have to provide their password. Most likely, their HTTPD was logging the entire POST header of ALL requests, regardless if it potentially stored sensitive information or not. This occurs before the application receives the data and can hash it. This is a potential security issue on virtually every HTTPD that is misconfigured. GitHub just announced pretty the exact same thing earlier this week. Odds are one of these announcements triggered an audit in the other's organization to look for the same misconfiguration and they found it. https://www.zdnet.com/article/...

Re:twitter twats

[Hallux-F-Sinister]

^^^ this ^^^. This kind of mistake is worth a little class action. Non-negligent companies don't deploy noob code like this ("der...dump all POST input because we have our fingers in production...herp!") on the machines that actually parse the passwords (or any other sensitive data). Non-negligent companies also have tests for exactly this kind of thing (e.g., try signing on as "user123 / pass123", then make sure "pass123" isn't actually in the log).

Yes. Sue them for every cent you never paid them to use thier free service. Recall that your ability to do so was predicated when you signed up for an account, (without which there'd have been no way for you to use the service,) upon your agreement that you understood the provider (Twitter) was not liable for damages to you of any kind arising through your use of the service, blah blah blah. Best of luck with your "class action". Oh, odds are there won't be one because by using Twitter, you probably signed away your rights to sue, and will instead be forced into binding arbitration, from which you will get literally nothing.

Oh, PS, BTW... class action lawsuits, when they CAN and DO actually go forward, make class action attorneies rich when they win, and after those costs are paid, net almost vanishingly small benefits for members of the injured class, which years later if your side wins, when you finally get them, are worth so goddamned little that it ends up not even being worth the time it took for you to read what you had to for the bullshit settlement.

For example, I was once part of a class for a lawsuit against 24 Hour Fitness, over their marketing practices, about 8 or 10 years ago. Years later, I got a check for a whopping TWENTY FIVE DOLLARS! Holy fucking shit, I shouted when I found out about how much I would one day receive a check for, I'm gonna be fucking rich! then I went about my otherwise shitty day, that that announcement of a preliminary agreement to a settlement made no impact on. About 3 or 4 months later, I got the check, and had dinner at a nice, fairly fancy Korean resteraunt, and had almost enough left over from the check for ice cream.

But again, good luck suing Twitter for "damages."