Following an internal audit, Twitter admitted today that due to a bug in its password storage mechanism it accidentally logged some users' passwords in internal logs.
Today's disclosure comes after GitHub made a similar announcement earlier this week, describing a similar incident.
Just like in the GitHub incident, the passwords were recorded in Twitter's internal server logs in their plaintext format.
Twitter said it normally masks passwords by passing them through the bcrypt hashing function, considered an industry standard among top tech giants.
"Due to a bug, passwords were written to an internal log before completing the hashing process," a Twitter spokesperson said. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."
Bleeping Computer has reached out to Twitter to inquire about the number of affected users, but the social network did not respond before this article's publication.
When this happened on GitHub, the code repository portal sent out emails to all affected customers and forcibly reset passwords for all affected users.
No Twitter user has yet reported receiving such emails, but some are being forced to choose a new password. The company also published a security advisory on its site.
Confirmed! pic.twitter.com/QQYz8Sr9iH— TinFoilSecurity™ (@oo0Sn3rp0oo) May 3, 2018
Twitter doesn't see this as a big security issue, arguing that its systems were never breached and that only a handful of employees might have seen the exposed passwords.
"Our investigation shows no indication of breach or misuse by anyone," Twitter said.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ— Twitter Support (@TwitterSupport) May 3, 2018
UPDATE [May 4, 2018]: A Twitter spokesperson told us today via email that the incident is not related in any way to the GitHub issue. A GitHub employee also confirmed to Ars Technica the two incidents have nothing to do with each other, the GitHub issue being caused by an anti-spam system, not the password hashing mechanism cited by Twitter.