Chief technology officer of Twitter, Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored scrambled by encryption, something had caused at least one log to record them in plaintext.
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard,” Agrawal said of the non-functioning security feature.
“Due to a bug, passwords were written to an internal log before completing the hashing process.”
Twitter is stressing that the issue was found in-house by its own engineers, and that so far there are no indications of anyone outside the company being able to even view the file, let alone harvest the passwords.
Still, Twitter is advising everyone who has an account to change their password and do the same with any other site where the password was re-used (as a best practice you shouldn’t be reusing passwords anyway).
“We are very sorry this happened,” Agrawal told users. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
The timing of the disclosure is particularly bad for Twitter, as much of the internet is today observing World Password Day by raising awareness of good password management practices and safe storage.
Certainly this was not the type of exposure Twitter was seeking, particularly as it tries to beef up its protection of user data in the wake of the Cambridge Analytica data-harvesting scandal.
Meanwhile, GitHub suffered a similar blunder: it also dumped plaintext passwords into its log files.
“During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours,” GitHub wrote in an email to its users.
“We have corrected this, but you’ll need to reset your password to regain access to your account.
“GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time.
“Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way.”