Twitter has admitted to storing user passwords in plain text format, and these may have been exposed to the company’s internal tools. The company urges its users to change their passwords as soon as possible.
In an official statement, their officials have explained that whenever you set a password for your Twitter account, their technology masks it in a way that no one in the company can see it. However, they’ve recently managed to uncover a cybersecurity vulnerability that exposed the passwords being stored in an internal log, completely unmasked.
Although the company did not reveal the exact number of affected users, reportedly, the number is quite substantial and the unmasked passwords were essentially in plain view for several months.
As to why Twitter decided to store them in plain text prior to hashing – that remains a mystery. Allegedly, the company uses bcrypt, a strong password hashing algorithm, but for whatever reason, the passwords were written to an internal log before being fed into the hashing process.
Luckily, they have already fixed the bug, and as of right now, there are absolutely no signs of a breach or misuse.
Since this is technically not a breach, the company has decided not to force a password reset. Also, the chance of an unauthorised individual finding these is rather low. Therefore, changing your Twitter password is by no means obligatory, but if you want to remain on the safe side, changing your password is the recommended route to take.