Millions of Twitter users who tried to log in to the micro-blogging site on Thursday night-Friday morning were surprised to see a message asking them to change their password.
The message from Twitter, that has 336 million users, said that the company had identified a bug that stored passwords unmasked in an internal log. “We have fixed the bug and found no indication of misuse or breach by anyone”, claimed the message, adding that “out of an abundance of caution, we ask that you consider changing your passwords on all services where you have used”.
Twitter apologised after the development that came in the backdrop of intense scrutiny over security of personal data online.
While many wondered if this was not a serious lapse, company Chief Technology Officer Parag Agrawal explained what had happened.
In a blog post, Agrawal wrote that they “masked passwords through a process called hashing using a function known as bcryot, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system”. This allows the system to validate account credentials without revealing the password.
Due to a bug, these passwords were written to an internal log before the hashing process was completed. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again”.
The Twitter CTO had the following tips for users to keep their accounts secure.
“We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day,” Agrawal said.