May 3, 2018

Twitter just asked all 300+ million users to reset their passwords, citing the exposure of user passwords via a bug that stored passwords in plain text — without protecting them with any sort of encryption technology that would mask a Twitter user’s true password. The social media giant says it has fixed the bug and that so far its investigation hasn’t turned up any signs of a breach or that anyone misused the information. But if you have a Twitter account, please change your account password now.

Or if you don’t trust links in blogs like this (I get it) go to Twitter.com and change it from there. And then come back and read the rest of this. We’ll wait.

In a post to its company blog this afternoon, Twitter CTO Parag Agrawal wrote:

“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

A message posted this afternoon (and still present as a pop-up) warns all users to change their passwords.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.”

Agrawal explains that Twitter normally masks user passwords through a state-of-the-art encryption technology called “bcrypt,” which replaces the user’s password with a random set of numbers and letters that are stored in Twitter’s system.

“This allows our systems to validate your account credentials without revealing your password,” said Agrawal, who says the technology they’re using to mask user passwords is the industry standard.

“Due to a bug, passwords were written to an internal log before completing the hashing process,” he continued. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

Agrawal wrote that while Twitter has no reason to believe password information ever left Twitter’s systems or was misused by anyone, the company is still urging all Twitter users to reset their passwords NOW.

A letter to all Twitter users posted by Twitter CTO Parag Agrawal

Twitter advises:
-Change your password on Twitter and on any other service where you may have used the same password.
-Use a strong password that you don’t reuse on other websites.
Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
-Use a password manager to make sure you’re using strong, unique passwords everywhere.

This may be much ado about nothing disclosed out of an abundance of caution, or further investigation may reveal different findings. It doesn’t matter for right now: If you’re a Twitter user and if you didn’t take my advice to go change your password yet, go do it now! That is, if you can.

Twitter.com seems responsive now, but some period of time Thursday afternoon Twitter had problems displaying many Twitter profiles, or even its homepage. Just a few moments ago, I tried to visit the Twitter CTO’s profile page and got this (ditto for Twitter.com):

What KrebsOnSecurity and other Twitter users got when we tried to visit twitter.com and the Twitter CTO’s profile page late in the afternoon ET on May 3, 2018.

If for some reason you can’t reach Twitter.com, try again soon. Put it on your to-do list or calendar for an hour from now. Seriously, do it now or very soon.

And please don’t use a password that you have used for any other account you use online, either in the past or in the present. A non-comprehensive list (note to self) of some password tips are here.

I have sent some more specific questions about this incident in to Twitter. More updates as available.

Update, 8:04 p.m. ET: Went to reset my password at Twitter and it said my new password was strong, but when I submitted it I was led to a dead page. But after logging in again at twitter.com the new password worked (and the old didn’t anymore). Then it prompted me to enter one-time code from app (you do have 2-factor set up on Twitter, right?) Password successfully changed!


45 thoughts on “Twitter to All Users: Change Your Password Now!

    1. Masood Rahman

      Even if you have 2FA turned on, your password is exposed in clear text. That means if you are re-using your password somewhere else, you are at risk!

  1. The Sunshine State

    As the article states enable two factor authentication on your Twitter account.

  2. Somebody

    Interesting… I didn’t get that message.

    1. Rich56k

      I didn’t either!?

      I’ve gotten two ‘update to ToS and Privacy Policy’ emails in the last two days but nothing about PWs.

      Even checked both mobile and desktop versions of my account….nothing messages, notifications…neither

      So just how did they alert some accounts?

      1. killuaDev

        Neither did I, I wouldn’t have known at all if not for this

  3. Kip Boyle

    To turn on multiple factor authentication (MFA), visit your Account settings and enable the “Mobile security app” option…

  4. Ethan

    A very similar message was sent out a few days ago by GitHub via email.

    1. Tom

      Received a message from Github as well, but only on one of my accounts that has been created in the last two months.

    2. vb

      I received that GitHib message too. I didn’t trust the password reset link in the email. I’m surprised GitHub provided links an an email and expected users to clink on them. That’s encouraging a poor practice. GitHub should know better.

      I went directly to GibHub and reset my password.

  5. robert.walter

    Its amazing that Twitter didn’t force a log-out of all accounts and then force a password reset. (My guess is they don’t want to know how many of those signed in accounts aren’t really used. i.e. far fewer than they report.)

  6. Dennis

    I don’t understand one thing, Brian. If they indeed had all passwords encrypted with bcrypt how would they have them in a plaintext form in a log? The only way for that to happen is when someone creates an account. (And that is a very small minority of people.)

    There’s a second possibility though, which they probably don’t want to accept now, is that they had a good number of customer passwords stored in plaintext (or MD5’ed or SHA-1’ed, which is kinda like storing it in plaintext) and those passwords were exposed.

    Am I missing something ?

    1. JCitizen

      Brian pretty well wrote what supposedly happened; maybe they ran the data threw that ‘bcrypt’scheme they said they use, and it dumped the file in a log that was “discovered” later.

    2. MattyJ

      Being a person that professionally worries about these things, my guess is that the ‘bug’ is really ‘poor design’ and that some debug code was left in production unintentionally. It states above that the passwords were written to a log prior to going through bcrypt, which is just a cypher that can be implemented in whatever way your backend tools want, to oversimplify.

      My worry is that these logs were ingested into something like Splunk, or are in backups somewhere. It would be interesting to know how Twitter intends to clean this up.

      To that end, that’s the tipping point for me. My process:

      * change password
      * delete account

      1. Gabriel

        Agreed.

        First it’s Linkedin and Equifax, then it’s Facebook/Cambridge Analytica. I was so convinced that Twitter is different. The most interesting thing for me is that they do not provide for how long these passwords were exposed.

        1. Rob Vargas

          Gabriel:
          To be clear, the Facebook/Cambridge Analytica breach wasn’t compromised passwords. The data was pulled from Facebook servers regardless of user login status.

          I get your point about privacy, but Cambridge Analytica didn’t “hack” that data. Facebook gave them access.

    3. Andy

      It would be very easy to capture usernames and passwords on every login not just creation when you have access to the login processing page.
      Psuedo code would be.
      Debug.print loginform.username
      Debugprint loginform.password
      $p=Bcrypt loginform.password
      If $p=storedpassword then $loggedin=true

    4. ls

      Password storage is not the password transmission process. In most cases, when you log in/set new password – this password is being sent (in plain-text form) via some HTTP POST parameter. It’s likely that this parameter was included in the log.

  7. JCitizen

    Good thing I read KOS, because I went to Twitter just to see if there was even a peep about this – *nothing* – I bet they didn’t even sent emails out to customers with the news!

    ZDnet was given a wishy-washy statement that there were only a portion affected, or at least a lot less than 300 + million users. Just as long as they don’t tell me “we take our customer’s security very seriously”; at least I don’t have to hear that, and obviously they don’t care.

    Thanks Brian!

  8. Elaine

    So the obvious question is why are the storing the passwords in a reversible fashion?

  9. Fazal Majid

    Bcrypt is not “state of the art”. It is vulnerable to GPUs and FPGAs. State of the art is argon2 or scrypt.

    I’m guessing they are disclosing this now because in 22 days they would be liable for 4% of their turnover in fines under Europe’s General Data Protection Regulation.

  10. jdmurray

    I wonder if the plain-text passwords written to the log were only mis-typed passwords that failed authentication. Programmers don’t usually consider the information leak that logging even failed pasword is.

    1. timeless

      I just set up an open source add-on for an open source tool.

      When one sets up an account with this add-on, it logs the provided information (private key, decrypting password, …) In the application’s log file.

      It’s a very very very common mistake application developers make:
      To debug things, they log their inputs.

      One is supposed to remove such logging before shipping, or at least disable it before it goes into production…

      Since I always generate new passwords/keys, it didn’t bother me a lot, but I certainly won’t be using this module for a production system…

      This is why 2FA and unique keys are so important. I’m an ideal world, everyone knows your (acceptable) credentials and still can’t log in as you. This is how PKI works– instead of providing a symmetric password, you provide an asymmetric portion of a key pair–specifically the public key–at account setup, and see login, you’re provided with a challenge which you soon using the private portion of the key pair. Ideally anyone with access to the information can verify that you preformed the authorization, but no one with the information can use it to produce another.

      Normal password submission doesn’t really work that way.

  11. maggardb

    ‘Agrawal explains that Twitter normally masks user passwords through a state-of-the-art encryption technology called “bcrypt,” which replaces the user’s password with a random set of numbers and letters that are stored in Twitter’s system.’

    s/replaces the user’s password with a random set of numbers and letters that are/calculates a hash of the user’s password that is/

  12. Santarosa

    One thing in all this process about this public event it’s me annoying: 24 hours before this disclosure, former Microsoft CIO Steve Ballmer sell all his twitter stocks but tell his is still confident with company. After this event, I don’t think properly response was given, once this indicate some of twitter partners get privileged information.

  13. Brad Maggard

    Let’s try this again: The result of “bcrypt,” is a hash, not “a random set of numbers and letters’.

    Not sure why my last attempt at making that point was moderated out.

  14. Grey

    Eh, it’s Twitter. Not Paypal, or my bank account, or anything I care about. I still changed my password, but I was in no hurry. I don’t reuse passwords in multiple locations.

  15. Question

    Hello Brian,

    I don’t own a twitter account. But I occasionally visit twitter to read tweets from influential people.

    Yesterday I googled “twitter” and the top search result was a paid AD that led me to a malicious website that seemed to be downloading 1000’s of “TMP File” and “CRDOWNLOAD” files onto my machine while also creating a red screen with a weird warning message. (At first I thought it was ransom wear, and maybe it was but the script was broken?)

    Today the AD appears to have been removed from google search results.

    Could this be related to the twitter breach? Or perhaps just part of a much larger focused attack on twitter?

    1. D

      This isn’t an attack, as far as we know – just an error. Bad programming.

      What you describe is almost certainly coincidence. Or if it is related, it’s probably reactively – (i.e. the bad guys know that people will be searching about how to reset their Twitter passwords – so think it’s a good opportunity to trick people into handing over theirs.)

  16. Get Online Grand Rapids

    I do think it is really significant and shows a lot of integrity that Twitter is being up front about this and asking people to change their passwords even though they think the chances are really good that no one actually accessed them.

  17. EJ

    From the news account I heard last night on the BBC, the exposed passwords were on an internal server and were not exposed externally. I’d say the risk on this is pretty low.

  18. Oxfex

    Please do not change the password, because Twitter wanted track to you and sending spam

    1. YOhan

      Pretty please, don’t spread that silly kind of paranoia.

  19. jb

    Mobile app does not require re-login.

    I changed my password on a desktop, but can still access the app on my android phone WITHOUT having to enter my new password.

    So if someone stole my password and logged into an app experience, they still own me?

  20. Brian C

    This underscores the importance of using different passwords for each different service. If you use your password for Twitter elsewhere, better change that as well. It is a common tactic of hackers to try compromised passwords on other known or potential accounts related to their victim.

  21. Cybernetiv

    It is laudable that while Facebook and Uber Technologies are facing serious charges of Data security, Twitter came to the forefront and urged its 330 Million users to change their password. Twitter’s response was very professional as theoretically they could have just hidden the incident but rather they confessed that due to a glitch, user’s password was stored in a readable text to its internal computer system instead of disguising it by the process called hashing.

  22. Joshua

    I don’t remember mine, nor do I care to.

  23. Louise

    It wouldn’t apply to Disqus, because one logs in via twitter. That little popup is a twitter url. It doesn’t make sense, to change your log in on twitter services, when the log in is via twitter! The mobile phone stuff I am not acquainted with . . .

  24. Ken Notlogin

    I would LOVE to be able to change my password on Twitter.com. BUT, every time I’ve attempted to login, I end up at a page with nothing on it (other than the Twitter styling) except a link labelled “Continue” and pointing to https://twitter.com.

    Nothing happens when you click the link. And no way to change the password. And no (official) way to log out again.

    Anyone care to provide the direct link to the change password page – I can try to access it directly once I have logged in. Doubt it will work, since I’ve tried directly accessing my profile page and all it does is reload the page described above.

    1. Louise

      Here is the address to change your twitter psswd:

      twitter.com/settings/password

  25. Louise

    After the twitter new terms announcement, I asked twitter if it has a new partnership with Google, as Facebook has a partnership with Google . . . and received no response . . . Now, today I see twitter addresses feature in a large way in a redesigned Google news! It is a valid question, because I viewed twitter as a last hold-out on Google, where I could upload content outside Google’s reach. It is valid, if I use Google nearly every time I get on my desktop (no smartphone, yet), because I don’t want a behemoth assembling more information on me!

    P.S. my comments seemed to disappear, so I am posting under a different email address.

  26. Louise

    . . . so, telling you to change your twitter psswds may serve other purposes, if twitter has partnered with Google or I should say Alphabet or one of its subsidiaries, by specifying which IP addresses or an IMEI-number of the mobile phone are associated with which twitter accounts, it has exponentially more access to your mind share (is what I label this commodity), as it already does with Facebook. It is no fluke that Facebook profits rocketed after its initial dim earnings reports, after Facebook went public, when Google partnered with Facebook for unparalleled access to user behavior, or the psychological ads which influenced the election scandals, etc. . . . Twitter is the last frontier for Google. It wants it all.

    1. Louise

      Here is an excerpt of Google terms:

      *************Quote****************

      How ads work on Google partner sites

      Many websites and mobile apps partner with us to show ads. These advertisers decide to show given ads to audience “types” based on personal information our users have shared with us and data we collect about your online activities: for instance, “25 – 34 year old males who are interested in travel.”

      ***********Unquote*************************
      https://privacy.google.com/how-ads-work.html?modal_active=how-ads-work-proof-overlay&article_id=c4-p-partner-site-ads-4

      The above isn’t contingent on being signed in to your Google account, but Google collects based on IP address and IMEI-number, which it combines with data from all it partners and affiliates who collect these via their websites if they display adsense or double click, so that Google has an ultimate database of a person’s interests and behaviors, which it sells, so that websites and services can continue to be used “free of charge.” What a cost these free services have cost the individual!

  27. Louise

    One last thing . . .

    The new Google news is slow-scrolling. Likely, there is some collection process going on to recreate your session, called, “session replay,” to gather info on your viewing habits, where you pause, and where you click . . . It’s a new level of studying user news reading habits. It’s all allowed under Google privacy, which allows everything! Here is the term which pertains to that, for what it is worth:
    https://policies.google.com/technologies/types

    That is why a partnership with twitter has anti trust implications, because twitter is a popular source for news . . . Which news is popular with a viewer is another inroad into his psychology, which could fine tune influencing ads. Twitter has advantages over Google news. It is my preferred source for certain types of news. It is disturbing to me the news offered via twitter is going to supply Google another source of my mind share.

Comments are closed.