Twitter warned its users on Thursday to change their passwords after it discovered that it had mistakenly stored them internally prior to fortifying them through a security technique, leaving the passwords vulnerable to hackers.
Parag Agrawal, Twitter’s chief technology officer, wrote in a blog post that users should also consider changing their passwords on other services if the passwords they used there were the same as on Twitter. The company also disclosed the password flaw in a regulatory filing on Thursday, indicating that the bug was serious enough to warrant more formal disclosure than a corporate blog post. Twitter has about 336 million users, according to its latest letter to shareholders.
Twitter (TWTR, -0.72%) CEO Jack Dorsey followed Agrawal’s post by tweeting that company has “no indication of breach or misuse.” He added that the company warned users because “it’s important for us to be open about this internal defect.”
The software bug said to be responsible for the problem appears to be related to how the company secures user passwords through a security technique called hashing, Agrawal explained. Through the hashing technique, Twitter converts passwords into random assortments of numbers so that when users log in, Twitter can validate passwords without actually having to read them.
Because of the software bug, however, user passwords were written into an unspecified “internal log” before they could be converted into a series of numbers. As a result, user passwords were left vulnerable, although Twitter said no one appears to have improperly accessed the log.
Agrawal said that Twitter discovered the error without the help of outside security researchers, removed the passwords from the internal log, and is “implementing plans” to prevent future errors.
It’s unclear when Twitter found out about the problem or how long the passwords were left unsecured. Fortune contacted Twitter for more details and will update this story if it responds.
Ironically, Twitter’s password mishap was announced on the corporate holiday known as World Password Day, created by Intel security researchers and celebrated on the first Thursday in May as a way to promote good password and cyber security hygiene.
Agrawal initially said via a Tweet that the company “didn’t have to” share the information to the public, but chose to because “it’s the right thing to do.” However, he then backtracked on his statement and said that he “felt strongly that we should.” “My mistake,” Agrawal added.
Dorsey then commended him for “admitting our mistakes quickly, learning, and moving on.”
“We are very sorry this happened,” Agrawal wrote in his blog post. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.” (Fortune)