Twitter has urged all of its 330 million users to change their password after a software glitch exposed the passwords by storing them in readable text on its internal systems.
Twitter hashes passwords using a function known as bcrypt. This replaces a password with a random set of numbers and letters which are then stored on its systems. This means Twitter can validate a user’s credentials without revealing the password by masking them. Not even Twitter employees can see them.
But a software glitch before the hashing process meant passwords were left exposed in a readable form. Twitter said they had found and resolved the problem and there was no indication that any passwords had been stolen or misused.
We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again. We are very sorry this happened. We recognise and appreciate the trust you place in us and are committed to earning that trust every day.- Parag Agrawal: CTO, Twitter Inc
While they made the assurance all was secure, Twitter still recommended its customers consider changing their passwords to be on the safe side.
How to change your Twitter password
To change your password on Twitter, click on your Profile Picture icon in the top right-hand corner, then go to Settings and Privacy, and click on Password.
With the Twitter app on iOS and Android, click on your Profile Picture icon in the top left corner and then go to Settings and Privacy, Account and Change Password.
It is highly recommended to change the password on any other services where you have used the same password.
Finally, it is also recommended to use a two-factor authentication service on Twitter. This will add extra layers of security to your account and help prevent your account from being hacked.
This is not the first time Twitter has called on its users to change their passwords. Back in 2016 Twitter warned users to change their passwords after a hacker was found to be selling 33 million Twitter logins on the dark web.
And just this month it was reported that Twitter had inadvertently sold advertisements to scammers who ran a campaign spreading phishing scams in the name of ‘Twitter blue verification badges.’