A piece in today’s Times:
Yesterday’s World Password Day, an annual PR stunt from Intel, took on unexpected relevance after Twitter asked all of its 336 million users to change their passwords, admitting that a “bug” had left them exposed.
Twitter passwords would normally be stored only in encrypted form but the company said yesterday that due to an oversight they had been kept in plain text in an internal log. This would have left them freely accessible to at least some Twitter employees and more vulnerable to external hackers.
The microblogging site insisted that it was recommending that users change their passwords only out of an “abundance of caution” due to the company’s sense of social responsibility. It said that there was no evidence or indication that passwords had been obtained or misused by hackers.
Anyone who did obtain those passwords would have gained access to personal data of Twitter users, including a log of their Twitter activity, and the ability to post from their accounts. Because people often use the same password and email address for multiple online services, anyone obtaining the data could have been able to hack people’s accounts on other sites.
The failure of Twitter to safeguard its users’ data adequately comes after Facebook came under fire for failing to protect the personal information of nearly 90 million people, which was obtained by Cambridge Analytica, the now defunct consultancy accused of electoral meddling.
Parag Agrawal, Twitter’s chief technology officer, tweeted: “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but it’s the right thing to do.”
This prompted one user of the site to comment: “Twitter’s CTO is acting like they’re doing us a favour by letting us know that Twitter wasn’t securely storing our passwords.”
In a blog post, Mr Agrawal said: “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”
Normally when a user sets a password for a Twitter account, the company uses encryption technology that masks it so that no employee can view it. This also makes it far more difficult for any hackers to access the data in the event of a breach. However, Twitter last night admitted that it had identified “a bug that stored passwords unmasked in an internal log”.
A spokesman added: “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password any time by going to the password settings page.”
He said: “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
Twitter’s embarrassment comes shortly before the implementation of stricter data laws, the general data protection regulation (GDPR), on May 25. The rules will hold companies to higher standards of data protection in the UK and across the European Union, introducing fines of up to €20 million or 4 per cent of global turnover.
Facebook, which has been heavily criticised by politicians for its failure to protect users’ data, has fired an employee who was abusing his access to internal Facebook data to “stalk” a woman who he was speaking to on the dating app Tinder. A spokesman said yesterday that the employee had been sacked immediately after his activities were discovered.
You can subscribe to The Times here.