Yesterday morning we were woken up to a major security incident, with Twitter advising all its users to change their passwords following a bug in the company’s systems which led to those passwords temporarily being stored in plain text (rather than being hashed, ie disguised as a string of meaningless random letters and numbers via an algorithm).
Off the bat, it’s important to note that this is not a security breach – an actual known leak of user data – as such, because Twitter asserts that the unmasked passwords were stored in an internal log, and only there, with an investigation finding “no indication of breach or misuse” of those passwords.
As David Emm, the principal security researcher at Kaspersky Lab, explains: “Twitter’s notification indicates that they hash passwords using bcrypt. They say that, because of a bug, unhashed passwords were stored in an internal log. They don’t believe that the passwords have been exposed, but are alerting people just to be on the safe side.”
So the advice to change your password is a precautionary measure taken, in the firm’s words, out of an “abundance of caution”.
In short, Twitter believes that there is nothing awry, and no password data has been leaked externally in any form, but evidently can’t declare this as a watertight certainty. Hence the need for the aforementioned caution, which Twitter has been careful to frame in the least-worrisome light possible with the use of a term like ‘abundance’.
Of course, Twitter also advised folks to change their password on “all services where you’ve used this password” – in other words, on any online accounts where you’ve reused your Twitter password.
And a lot of folks could be in that boat, as Steve Schult, senior director of product management at LastPass, told us: “Many people are going to want to change their Twitter password today because we know people are continuing to use some pretty risky password behaviours.
“In fact, in our recent Psychology of Passwords survey we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.”
Raj Samani, chief scientist and fellow at McAfee, added: “McAfee’s recent research revealed a third of people rely on the same three passwords for every account they’re signed up to.
“If you use the same password for Twitter and a number of other apps and accounts, a cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information. Hopefully, Twitter’s news will prompt people to wake up and really think about the passwords they’re using.”
What was your reaction to the news from Twitter?
Let us know in the comments!