Twitter
Twitter urges users to change their passwords now. REUTERS/Dado Ruvic

Twitter has alerted all of its users to change their passwords immediately. Twitter said that its users’ passwords were exposed in plaintext due to a bug in its systems.

“We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone,” the company said via its Twitter Support account. “As a precaution, consider changing your password on all services where you’ve used this password.”

Twitter uses the bcrypt hashing function to store mathematical representations of users’ passwords. This enables Twitter’s systems to validate users’ account credentials without having to see their actual passwords since they are represented by a random set of numbers and letter. Unfortunately, a coding bug in Twitter’s systems caused those passwords to be shown in plaintext in an internal log before completing the hashing process, Twitter’s chief technology officer Parag Agrawal explained in a blog post.

“We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do,” Agrawal said on his personal Twitter account. “I’m sorry that this happened, but am proud to work at a company that puts people who use our service first.”

Twitter isn’t actually the only site that was affected by the bug. ArsTechnica pointed out that GitHub suffered the same fate with a similar bug earlier this week.

Twitter doesn’t believe that any password information ever left the company’s systems or that any password was misused by anyone. However, he urges all users to take necessary steps to make sure that their accounts are safe.

The easiest and quickest way for users to prevent any problems is to change their passwords. This can be done by going to Twitter’s “Settings & Privacy” page and click on “Password.” Users will be prompted to enter their current password and enter their new password twice. On iOS and Android, users will have to go to the “Settings & Privacy” page, tap on “Account” and tap on “Change password.” It’s best to use a strong password that the user isn’t already using on other websites.

Users also have the option to add two-factor verification to have an extra layer of protection for their accounts. On Twitter, this feature is called “Login verification” and it’s located in the “Settings & Privacy” page under “Account.” Login verification is located in the “Security” page in “Account” on the iOS and Android apps.

Login verification will require users to provide their mobile phone number. Once this has been set up, every time the user logs in to Twitter, they will receive a verification code via SMS text message. Users will have to enter that code in order to completely log in to their Twitter account.