Twitter logo

Following an internal audit, Twitter admitted today that due to a bug in its password storage mechanism it accidentally logged some users' passwords in internal logs.

Today's disclosure comes after GitHub made a similar announcement earlier this week, describing a similar incident.

Just like in the GitHub incident, the passwords were recorded in Twitter's internal server logs in their plaintext format.

Bug wrote plaintext passwords to log files

Twitter said it normally masks passwords by passing them through the bcrypt hashing function, considered an industry standard among top tech giants.

"Due to a bug, passwords were written to an internal log before completing the hashing process," a Twitter spokesperson said. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

Bleeping Computer has reached out to Twitter to inquire about the number of affected users, but the social network did not respond before this article's publication.

Twitter lets users to decide if to change passwords or not

When this happened on GitHub, the code repository portal sent out emails to all affected customers and forcibly reset passwords for all affected users.

No Twitter user has yet reported receiving such emails, but some are being forced to choose a new password. The company also published a security advisory on its site.

Twitter doesn't see this as a big security issue, arguing that its systems were never breached and that only a handful of employees might have seen the exposed passwords.

"Our investigation shows no indication of breach or misuse by anyone," Twitter said.

UPDATE [May 4, 2018]: A Twitter spokesperson told us today via email that the incident is not related in any way to the GitHub issue. A GitHub employee also confirmed to Ars Technica the two incidents have nothing to do with each other, the GitHub issue being caused by an anti-spam system, not the password hashing mechanism cited by Twitter.

Related Articles:

Twitter Issues New Policies on Election Interference

Mozilla Launches Firefox Monitor Data Breach Notification Service

Twitter Bug May Have Sent your Direct Messages to Twitter Developers As Well

Twitter Now Offers a Purely Chronological Timeline

Files With 42 Million Emails and Passwords Found On Free Hosting Service