Twitter announced today that a bug allowed users' passwords to be stored internally without being masked. When things are working correctly, Twitter stores hashed passwords, turning them into random letters and numbers so that no one at the company can see what any user's password is. But a bug caused passwords to be stored within an internal log before the hashing process was complete. Twitter says that it spotted the problem itself and fixed it. But while it claims there has been no evidence that the passwords were misused or that they left the company's systems, Twitter is recommending that everyone change their passwords just to be safe.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you've used this password. https://t.co/RyEDvQOTaZ— Twitter Support (@TwitterSupport) May 3, 2018
In a blog post about the issue, Twitter suggests its users also use a strong password that's not used on other sites, enable two-factor authentication and use a password manager to keep track of unique passwords -- typical recommendations for online security. The company said that the password problem was uncovered recently, but didn't say exactly when or how long the passwords had been exposed.
"We are very sorry this happened," Twitter said. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."