On May 3, Twitter confirmed a bug impacting 330 million users discovered in its internal systems. The “Twitter bug” affected internal password hashing mechanisms, allowing plaintext passwords to be stored in their databases
In the programming world, a bug is considered an “error” or “flaw” in code that causes something unexpected (and often undesired) to happen. Twitter has confirmed that the bug had been fixed and there is no evidence user information was misused.
The “Twitter Bug” Explained
Twitter confirmed that the bug was discovered internally and was addressed immediately. The bug allowed Twitter passwords to be written and stored in plaintext before the encryption process had been completed.
Twitter Explains Hashing Bug
Twitter explained the bug in a public statement on May 3, 2018:
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters stored in Twitter’s system. This allows us to validate your account credentials without revealing your password. This is an industry standard.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords and are implementing plans to prevent this bug from happening again.
Twitter uses “bcrypt,” which is a hashing mechanism that scrambles your password with other numbers, letters and characters. In theory, user passwords are hashed using bcrypt, then stored in the company’s internal database. Twitter uses bcrypt to make your passwords harder to crack if they should ever fall into the wrong hands.
What is password hashing?
Password hashing is a security mechanism that adds an extra layer of protection to your passwords. Hashing creates a new “version” of your passwords by converting them into unrelated numbers, letters and characters.
Passwords in “plaintext” can be viewed as they were originally created. For example, if your password is “mypassword2018,” your plaintext password is “mypassword2018.”
Once “mypassword2018” is hashed, it turns into a string of random characters – making it harder for fraudsters to misuse them. Most online companies use password hashing to better protect user login credentials – even if the information is breached.
What should I do?
Changing your passwords on a regular basis is a basic rule-of-thumb when it comes to online account security. Even though Twitter has confirmed that the bug has been fixed, it can still present major risks for Twitter users as it pertains to their account privacy and security.
Use the tips below to help secure your passwords from potential misuse:
- Change your Twitter password as soon as possible. Ensure that you are using a combination of upper- and lowercase letters, numbers and special characters.
- Avoid reusing your Twitter password to prevent hackers from accessing other online accounts.
- Review your login authentication settings in your Twitter account. Consider using multi-factor authentication so that accessing your account requires more than just your username and password.
Continue following Fighting Identity Crimes for more updates on this story, other breach and scam updates, ID protection news & tips from our industry experts.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.