The company says it has fixed the error and knows of no breaches, but users should be cautious anyway.
Twitter advised its 330 million users on Thursday to change their passwords after some of them were accidentally stored in plain text on an internal log.
Twitter said in a post on its official blog that it had fixed the error and that it believed that no passwords were breached or misused. But it told users to consider changing their Twitter passwords “out of an abundance of caution.”
Twitter didn’t say how many passwords were exposed or for how long.
Twitter, like most large internet companies, uses a standard password-masking protocol called “hashing,” which runs your password through an equation to convert it into a string of random-seeming numbers and letters. For example, in one kind of hashing, the password “password” might be “5f4dcc3b5aa765d61d8327deb882cf99.”
When you type in “password” at the Twitter log-in screen, what Twitter actually gets is that soup of letters and numbers; it compares it with the soup it cooked up and lets you in only if they match. Combined with other mechanisms, hashing makes it extremely difficult to reverse-engineer a password from its hash.
The idea is that your actual password isn’t ever supposed to be saved on Twitter’s servers — but that’s what happened in this case, the company said.
“We are very sorry this happened,” it said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Security specialists advise everyone to follow a few simple rules to protect their passwords:
- Use hard-to-guess passwords. That wouldn’t have made a difference in the Twitter case, but not every online service uses hashing and some that do still rely on older, easier-to-decode versions.
- Never reuse passwords. If a bad guy manages to get one of your passwords and you’re using it on multiple sites, he has the key to your data on all of them.
- Use two-factor authentication, or 2fa, a process that requires you get an extra one-time-only code through a text message or an app on your phone every time you log in. Google offers 2fa service, which more companies and sites are adopting as an added security option.
And remember: When you change your Twitter password, be sure to update it at any other site linked to your Twitter account. You can find your list of Twitter-linked accounts here.