Twitter: We Goofed; Change Your Password NowPasswords Inadvertently Saved to Log in Plaintext Format; Twitter Blames Bug
Just in time for World Password Day - that was Thursday - Twitter has apologized after it discovered a bug in its systems that inadvertently caused passwords to be stored in plaintext in an internal log.
See Also: The Global State of Online Digital Trust
Users would be at risk if a hacker penetrated Twitter's internal systems and obtained the log. But Twitter doesn't believe that the data has been misused or has left its systems, says Parag Agrawal, the company's CTO, in a Thursday blog post detailing the password flub.
Nonetheless, the company is recommending a password reset for its more than 300 million users.
"We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone," Agrawal writes. "We found this error ourselves, removed the passwords and are implementing plans to prevent this bug from happening again."
Troy Hunt, an Australian security expert, says Twitter's disclosure is significant because of the number of accounts affected and because the passwords were stored as plaintext.
"We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone."
—Parag Agrawal, Twitter's CTO
But at the same time, the risk appears to be low, particularly for Twitter users that have two-factor authentication enabled, Hunt says. Even with a username and password, an attacker would need a one-time passcode sent either by SMS or generated by an authentication app to log into an account.
"It's not something I'd lose any sleep over," Hunt says.
"The engineering teams should have caught this glaring mistake, red teams and penetration testers should have taken a closer look, and it really calls into question the control environment," Pierson says.
The safest way for service providers to store passwords is to hash them, meaning to take a plaintext password and process it through a one-way hash function. In theory, it should be difficult or impossible to take a hash and discover the plaintext password.
Twitter uses the bcrypt algorithm to hash passwords. Many services have moved to using bcrypt and away from algorithms such as MD5 and SHA1, which are widely considered to be too weak to protect plaintext passwords.
Both MD5 and SHA1 are overly susceptible to brute-force cracking. Advances in computer hardware have made it easier to rapidly generate long lists of hashes using dictionaries of words and symbols that could potentially be someone's password. If one of the generated hashes matches a stored hash - obtained by a hacker during a data breach, for example - then the hacker can reverse-engineer the hash and obtain the original password, meaning it's been "cracked."
Bcrypt is considered to be a more secure approach because password-cracking hardware rigs can't generate bcrypt hashes nearly as quickly as they can MD5 and SHA1 hashes. So if attackers obtained a large set of bcrypt hashes from Twitter, in theory, it would take quite a bit of time for them to crack passwords, and particularly for any that might be long or complicated.
Twitter's Agrawal, however, warns that the bug caused users' plaintext passwords to be written to a log before bcrypt completed the hashing process.
To Notify, Or Not To Notify?
Hunt praised Twitter for alerting users. The company could have chosen to not make the discovery public, he says.
Agrawal initially wrote on Twitter that "we are sharing this information to help people make an informed decision about their account security. We didn't have to, but believe it's the right thing to do."
But many commenters took to Twitter to take issue with Agrawal's tweet, which was perhaps ill-worded, especially because criticism of social media companies' privacy and security practices appears to be at an all-time high.
Such suspicion has been fueled by Russian disinformation campaigns that employed Facebook and Twitter, among other sites, during the 2016 U.S. presidential election. And recently, Facebook has faced a backlash over the leak of up to 87 million profiles to Cambridge Analytica, a now-defunct analytics company (see Besieged Cambridge Analytica Shuts Down).
Agrawal later attempted to rephrase his comment. "I should not have said we didn't have to share," he said. "I have felt strongly that we should. My mistake."
I should not have said we didn't have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd— Parag Agrawal (@paraga) May 3, 2018
That Twitter disclosed the problem in the first place has continued to draw praise. Dan Kaminsky, a well-known security expert who is chief scientist at WhiteOps, tweeted to Agrawal: "You did the brave thing. People don't exactly know how to recognize that nowadays."
Shortly later, as negative comments toward Twitter and Agrawal continued, Kaminsky tweeted: "It's genuinely exhausting seeing Twitter get raged against for making a very, very hard call, correctly. Stop it, or nobody will ever do anything not aggressively legislated as a requirement."
Executive Editor Mathew Schwartz also contributed to this story.