Twitter Bug Discovered, 330 Million Users Impacted

John Burcham — May 4, 2018 Follow @EZShield

— May 4, 2018

What happened?

On May 3, Twitter confirmed a bug impacting 330 million users. The “Twitter bug” affected internal password hashing mechanisms, allowing plaintext passwords to be stored in their databases.

In the programming world, a bug is considered an “error” or “flaw” in code that causes something unexpected (and often undesired) to happen. Twitter has confirmed that the bug had been fixed and there is no evidence user information was misused.

The “Twitter Bug” Explained

Twitter confirmed that the bug was discovered internally and was addressed immediately. The bug allowed Twitter passwords to be written and stored in plaintext before the encryption process had been completed.

Twitter Explains Hashing Bug

Twitter explained the bug in a public statement on May 3, 2018:

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters stored in Twitter’s system. This allows us to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords and are implementing plans to prevent this bug from happening again.

Source: Keeping Your Account Secure, 2018

Twitter uses “bcrypt,” which is a hashing mechanism that scrambles your password with other numbers, letters and characters. In theory, user passwords are hashed using bcrypt, then stored in the company’s internal database. Twitter uses bcrypt to make your passwords harder to crack if they should ever fall into the wrong hands.

What is password hashing?

Password hashing is a security mechanism that adds an extra layer of protection to your passwords. Hashing creates a new “version” of your passwords by converting them into unrelated numbers, letters and characters.

Passwords in “plaintext” can be viewed as they were originally created. For example, if your password is “mypassword2018,” your plaintext password is “mypassword2018.”

Once “mypassword2018” is hashed, it turns into a string of random characters – making it harder for fraudsters to misuse them. Most online companies use password hashing to better protect user login credentials – even if the information is breached.

What should I do?

Changing your passwords on a regular basis is a basic rule-of-thumb when it comes to online account security. Even though Twitter has confirmed that the bug has been fixed, it can still present major risks for Twitter users as it pertains to their account privacy and security.

Use the tips below to help secure your passwords from potential misuse:

Change your Twitter password as soon as possible. Ensure that you are using a combination of upper- and lowercase letters, numbers and special characters.
Avoid reusing your Twitter password to prevent hackers from accessing other online accounts.
Review your login authentication settings in your Twitter account. Consider using multi-factor authentication so that accessing your account requires more than just your username and password.

Digital & Social Articles on Business 2 Community

Author: John Burcham

John Burcham is Corporate Counsel for EZShield. He is a Certified Compliance and Ethics Professional through the SCCE, and has broad experience in an extensive variety of compliance and regulatory areas, including the FTC Act, UDAAP, Sarbanes-Oxley, GLB, Dodd-Frank, PCI Compliance, FCRA and state level regimes.
John has Bachelor of… View full profile ›

(20)

Discovered impacted Million Twitter Users