Twitter saved your password as plain text: Now it says to change it

Twitter is warning every user on its service to change their password, after discovering that it was inadvertently storing login credentials as plain text. The company announced it had 336m monthly active users only last month, and it turns out it was storing their passwords completely unmasked in an internal log.

The news was revealed today, with Twitter insisting that it has no record of any breach of the password log goof, nor of its misuse by anybody. However, the recommendation is still that users should change their password as a precaution and, indeed, anywhere else that they've used the same password.

According to Twitter, the error was identified internally. As is the case with most services requiring login credentials, Twitter uses hashing to mask the password set by the user. Using bcrypt, it transforms the actual password into a random set of characters; it's those which Twitter stores, and which are used to authenticate your account.

Problem is, a step in that bcrypt hashing process wasn't playing ball. "Due to a bug, passwords were written to an internal log before completing the hashing process," Twitter's Parag Agrawal, Chief Technical Officer, wrote today. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

It's an embarrassing blunder, but Agrawal insists that Twitter's investigation suggests none of the passwords ever left the company's servers. Indeed, according to the CTO, we should instead be thankful that the firm actually deigned to tell us it had messed up.

"We are sharing this information to help people make an informed decision about their account security," Agrawal tweeted. "We didn't have to, but believe it's the right thing to do."

As always, the advice is to use a strong password, and enable login verification within your Twitter account. That uses 2-factor authentication to add an extra layer of security atop just the normal username and password. Of course, if you used the same credentials for another site or service, you should also change them there, too.