Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company’s internal tools.
In a blog post, the microblogging site urged users to change their passwords.
“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log,” said Twitter in a statement.
Twitter didn’t say how many accounts were affected, but Reuters reports — citing a source — that the number of affected users was “substantial” and that passwords were exposed for “several months.”
It’s unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were “written to an internal log before completing the hashing process.”
The company said it fixed the bug and that an investigation “shows no indication of breach or misuse” by anyone.
A spokesperson for Twitter reiterated that the bug “is related to our internal systems only,” but it did not comment further.
A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it’s believed that the likelihood of someone finding it was low.
“Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account,” said the spokesperson. “We believe this is the right thing to do.”
The company had 330 million users at its fourth-quarter earnings in February.
Twitter is the second company to admit a password-related bug this week.
GitHub on Tuesday said it also exposed some users’ plaintext passwords after they were written to an internal logging system.
It’s not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.