Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text (reuters.com)

Posted by BeauHD on from the account-security dept.

Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.

3 of 107 comments (clear)

  1. Not a bug by Anonymous Coward · · Score: 2, Insightful

    Due to a bug, passwords were written to an internal log before completing the hashing process.

    Repeat, that is not a bug. That is intentional. It was designed to do this. You cannot call an intentional act a bug.

  2. Re:Irrelevant but still by forkfail · · Score: 1, Insightful

    Not irrelevant. And "back in the day", a lot of folks would have noted this right off, and posted under their actual logins, instead of being afraid for making geeky observations about the weakness of the writing/editing.

    I'm pretty sure this response comment will get modded down, but hey. Old /.ers don't die, they just get modded into oblivion...

    --
    Check your premises.
  3. Re:Why do they have the fucking passwords!? by Highdude702 · · Score: 3, Insightful

    But honestly, This should be handled client side not server side. that plaintext password should never be sent over HTTPS even, I haven't played with web development in about 20 years, so I cant say how easy this is to do. But I can say that if its not easy to do in HTML/CSS/PHP/Whatever is used, there is something wrong with the language and it should probably never be used for secure access to anything. Just my 2 pennies worth.