Serg Nvns - Fotolia

Twitter bug exposes passwords of all 336 million users

On none other than World Password Day, a Twitter bug was announced that led to the passwords of all 336 million users being stored in plaintext in an internal log.

World Password Day may be a (silly) made-up day that no one was aware of before, but all 336 million Twitter users will find it hard to forget after all passwords for the service were put at risk.

According to the company's CTO Parag Agrawal, a Twitter bug was discovered that stored the passwords of all users in plaintext in an internal log. Agrawal asserted in a blog post that the Twitter bug was fixed and there was "no indication of breach or misuse by anyone."

Agrawal's initial tweet about the Twitter bug caused a bit of controversy, though.

Agrawal later walked back the comment and said he "strongly felt [the company] should share" information about the issue.

Following the announcement, a prompt was set to show when a user returned to Twitter and push each user to changing their password. Unfortunately, many users ran into errors when attempting to change passwords.

Some users also noted that changing a Twitter password does not necessarily revoke the OAuth token for all devices that were previously logged in and this behavior was reproduced by SearchSecurity. In May, a phishing attack against Google Docs caused Google to change its policy regarding OAuth tokens.

Mark Gill, an independent information security consultant and trainer, said this was a common problem with OAuth implementations.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, wondered exactly how many passwords were stored in plaintext and for how long the Twitter bug persisted.

"Twitter's end-user notification about the incident is laudable; however, for whatever reason, Twitter omitted these vital details," Kolochenko told SearchSecurity. "Assuming that no breach was detected and nobody in the company had access to this internal log, Twitter could just securely delete the log and fix the problem. A prompt notification to all users may potentially indicate a certain degree of uncertainty about the integrity of the passwords."

Ambuj Kumar, co-founder and CEO of Fortanix, added that it would not be uncommon for Twitter to have duplicate copies of the affected log.

"Many organizations use backup systems and create various copies of the same files on multiple hard drives and systems. The question is: Has Twitter removed all the copies from all the systems, or is there a copy on some internal system that will show up many years from now when people may have forgotten about this incident?" Kumar asked. "As a user, we should change our passwords not just on Twitter, but also on any other services where the same password was used. As a security industry, we should set higher standards for securing sensitive information such as passwords."

Twitter did not respond to requests for comment at the time of this post.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing