Twitter is advising users to change their passwords after a bug “unmasked” credentials that were stored internally and disguised so they couldn’t be seen, but the company said there is no indication of a breach.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
The company said it masks all passwords stored internally through hashing — replacing the actual password with random characters and numbers — so that no one can see them. But this bug caused passwords to be saved to the company’s internal logs before they were disguised.
“We are very sorry this happened,” the company wrote in its blog post. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”