Twitter advising everyone to change passwords

Twitter has warned its 330 million users to change their passwords after a glitch exposed some in plain text on its internal network.

The social network said an internal investigation had found no indication passwords were stolen or misused by insiders.

However, it still urged all users to consider changing their passwords "out of an abundance of caution".

Link.

I don't think I'll bother.

Edited by RobertoS (Thu 03-May-18 22:30:48)

In reply to a post by RobertoS:

I don't think I'll bother.

I use 2-Step and also use a complete random made up password not used anywhere else along with its own email address, so unless they also have my phone they are not getting in.

Also the only people that would see those logged passwords would be Twitter Staff.

Paul

Leaks only occur from staff or contractors.

Luckily I fixed all my problems with Twitter leaking passwords over a year ago. I deleted my account

Plus the username and password for it were unique to Twitter so even if our friends at Twitter didn't delete the data it isn't going to do anyone any good.

So, they are storing passwords unencrypted ... why? And if they are visible to staff, how long before a hacker gains access to them?

And as passwords can be classed as personal data, then surely there is a potential breach of data protection.

In reply to a post by MHC:

So, they are storing passwords unencrypted ... why? And if they are visible to staff, how long before a hacker gains access to them?

And as passwords can be classed as personal data, then surely there is a potential breach of data protection.

No, they hash them with blowfish, but put the log before it hashed it, so the logs showed the passwords.

Paul

So for as long as the log is stored they are storing passwords unencrypted then. Looks like M H C has a valid point even if they are only stored for a short period time. After all, if the logs were not stored, how did Twitter know there were unencrypted passwords in their system?

In reply to a post by GonePostal:

So for as long as the log is stored they are storing passwords unencrypted then. Looks like M H C has a valid point even if they are only stored for a short period time. After all, if the logs were not stored, how did Twitter know there were unencrypted passwords in their system?

This might be true, I think they saw it when they did some looking into some server issues they had a little while back, this was probably when they saw it.
I know they said as soon as they noticed this they updated the site to resolve the security issue.

Sure it was a security issue, but most people including myself were fine due to using 2-Step login, so even if they get my password (which is random characters just for Twitter) they would also need my phone to login.

Paul

How do you know that most people use 2-step login? Or have they said so?

In reply to a post by RobertoS:

How do you know that most people use 2-step login? Or have they said so?

Well it was an assumption, best practices etc, plus everyone I know that go online are all using uses 2-Step to login where ever its supported.
Whether it being an SMS with a code or the use of an Authenticator, they use it.

Now are there people that don't use 2-Step to log in, yes there probably are.

But it only takes a few mins to set up and an extra step to take when you login the first time after activating it or if you login from a new device or when you link services to it, but that is no reason why you shouldn't add this extra security level to protect your account.

Paul