What Happened With Twitter’s ‘Bug’ And Why It Told Everyone To Change Their Passwords
“Out of an abundance of caution” Twitter advised all users Thursday to change their passwords.
The appeal, though, wasn’t because it was hacked or infiltrated. Rather, it was due to the social media company recently discovering that account information like passwords were left exposed, albeit internally.
The culprit: “a bug.”
Due to an error in Twitter’s computers system, “passwords were written to an internal log before completing the hashing process,” Twitter CTO Parag Agrawal wrote on a company blog post first disclosing the situation. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
Agrawal explained that company procedure is to “mask” passwords through hashing, which will replace the actual password with an obscure set of numbers, letters, and potentially other characters to be stored. The passwords in this instance, however, were never obfuscated through the hashing process.
Twitter is sure to claim that its investigation “shows no indication of breach or misuse by anyone.”
But people may never really be able to tell for sure — at least until someone accesses the several other accounts that sync with Twitter.
“This is a huge deal because Twitter is often used as a single sign-on mechanism into other websites,” George Avetisov, CEO of HYPR, a leader in “decentralized authentication,” told The Daily Caller News Foundation. “A compromised Twitter password may be used to login on completely unrelated websites.”
Despite Twitter’s outward confidence of the bug’s dubious consequences, Aleksandr Yampolskiy, co-founder of SecurityScorecard, a company that monitors and grades the cybersecurity health of any organization, says “we don’t know,” and Twitter’s actions, or lack thereof, are telling of the potential repercussions.
“Having an unencrypted password in the logs certainly increases the chances of that happening,” Yampolskiy said in regards to the chances of individuals’ information being exposed. “Even if an attacker compromised Twitter’s systems — if the passwords are properly protected, he’d have to reverse the hash, which is a very hard and often impossible process. In this case, however, he wouldn’t have to do it.”
There is also the possibility, Yampolskiy conjectured, that “a system administrator working for Twitter can see cleartext passwords and reveal them outside if he was unscrupulous.”
Regardless of whether passwords were compromised, Agrawal outlined and encouraged a number of ways to increase the security of one’s account, including two-factor authentication — a mechanism that multiple tech experts told TheDCNF is superior to most others.
To cybersecurity experts like Avetisov and Yampolskiy that on its own is not enough.
“Twitter should have mandated two-factor authentication by now, but it’s still optional,” said Avetisov. “While this isn’t a silver bullet, it certainly makes hacking a user’s account much more difficult.”
Yampolskiy thinks people will view a plea from the platform to change their passwords as “a big inconvenience.”
“It will be interesting to see users’ reaction to this,” he continued.
A spokeswoman for Twitter told TheDCNF that they are “not forcing a password reset but are presenting the information for people to make an informed decision about their account.”
“We believe this is the right thing to do,” the company representative said. Without a compulsion to do so, people may not exercise the best cybersecurity practices, which is of course a responsibility of users, but one that will also ultimately spill culpability onto Twitter — whether fair or not.
Yampolskiy also agrees with Avetisov, arguing that two-factor authentication should be set up by default, and not merely advocated for.
Agrawal said he and Twitter are sorry that this happened, but also added that they “didn’t have to” share such information and levy a request for people to change their passwords.
I’m sorry that this happened, but am proud to work at a company that puts people who use our service first.
— Parag Agrawal (@paraga) May 3, 2018
He eventually also apologized for the “mistake” of saying they had no obligation of disclosure.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd
— Parag Agrawal (@paraga) May 3, 2018
How much Twitter really “puts people who use” their service first isn’t explicit since, according to Yampolskiy’s SecurityScorecard, it lags behind peers in the technology industry at least for the past year.
Still, Avetisov says that social media companies in general “are not particularly well known or praised for their cybersecurity practices.”
“Although internal practices and employee access may be held to a high regard, the user security has not kept up,” he continued. “LinkedIn had one of the worst password breaches of all time and Facebook’s recent privacy woes are not helping the narrative that social media giants value user account security.”
Follow Eric on Twitter
Send tips to email@example.com.