"We're Sorry" - Twitter Shares Slide After Admitting Password Storage Problem

Shortly after the close, Twitter announced - via a blog post - that it had identified a bug that enabled stored passwords to be unmasked.

The share kneejerked lower and are holding down around 2-3% for now - though the company claims it has resolved the issue, they recommend every user change their password.

From Twitter's blog,

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

About The Bug

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.  

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Tips on Account Security

Again, although we have no reason to believe password information ever left Twitter’s systems or was misused by anyone, there are a few steps you can take to help us keep your account safe:

  1. Change your password on Twitter and on any other service where you may have used the same password.
  2. Use a strong password that you don’t reuse on other websites.
  3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
  4. Use a password manager to make sure you’re using strong, unique passwords everywhere.

We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.


GeoffreyT css1971 Thu, 05/03/2018 - 19:50 Permalink

Not on a production server, but you might store them during development so that you can test that the hash algorithm is creating sufficient entropy. To test that, you need the plaintext and the hashtext - so you store the plaintext during the development phase... and you remove the logging code as part of the process of moving to the production version.


There are really only 3 alternative explanations for this, none of which is good -

① Twitter fucked up the transition from dev to production - failing to remove the testing code that logged plaintext passwords. This raises the question: how long has this code been in the production server?

② A Twitter employee with sufficient trust, left the code in during review deliberately - with a view to retaining access to the log.

③ Twitter had an organisational desire (or need) to store user passwords in an accessible format (perhaps to comply with a US NSL?) - and they became aware that someone who knew about it was going to blow the whistle.


In terms of probability, ① should be set to near zero for any dev team worth spit: anything that logs (in fact, anything that writes to the server at all - including database calls) is a super-obvious candidate for eyeballing to verify it should remain in a production version. (It also says something pretty awful about their file-management: there was a file that was growing in line with the userbase, but their sysadmins never saw it happening? That's some shoddy shit, guys).

② has a pretty high probability: large tech firms are a very desirable place for espionage - the ROI of a successful infiltration can be staggering (a lot of people use the same password on multiple platforms: get their Twitter password, and you have their 'everything' password). Again, it raises flags about filesystem management.

③ is the most likely answer. 

In reply to by css1971

GeoffreyT Friedrich not Salma Thu, 05/03/2018 - 19:58 Permalink

It's less to do with Zuckerberg Goes to Congress, and more to do with parts of the EU bureaucracy getting up on their hind legs.

Quite a few tech companies use Ireland as a flag of convenience - however they behave as if user data is, or ought to be, subject to US laws (which are extremely weak - they're on a par with the former Soviet Union).

The EU has started to push back against that, because they understand (finally) that the US government is not their friend.

They also understand that the US view is that any data that transits the US, can be scraped up by the NSA: the "right to be forgotten" crowd in Europe (which is a non-trivial constituency) has made their politicians understand that it is not in the politicians' interest to permit that to continue.

In reply to by Friedrich not Salma

rosiescenario Thu, 05/03/2018 - 17:16 Permalink

A bit off topic, but I am puzzled that a publicly traded company such as FacePlant can use its shareholders assets and cash for the managements' political purposes.

bugs_ Thu, 05/03/2018 - 22:29 Permalink

For those that have different passwords for each site etc sometimes you may try to log on to twitter with another site password by mistake.

Consider that those mistake passwords have probably also been harvested in addition to your twitter password + all twitter password typos.