Twitter logo

Following an internal audit, Twitter admitted today that due to a bug in its password storage mechanism it accidentally logged some users' passwords in internal logs.

Today's disclosure comes after GitHub made a similar announcement earlier this week, describing a similar incident.

Just like in the GitHub incident, the passwords were recorded in Twitter's internal server logs in their plaintext format.

Bug wrote plaintext passwords to log files

Twitter said it normally masks passwords by passing them through the bcrypt hashing function, considered an industry standard among top tech giants.

"Due to a bug, passwords were written to an internal log before completing the hashing process," a Twitter spokesperson said. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

Bleeping Computer has reached out to Twitter to inquire about the number of affected users, but the social network did not respond before this article's publication.

Twitter lets users to decide if to change passwords or not

When this happened on GitHub, the code repository portal sent out emails to all affected customers and forcibly reset passwords for all affected users.

No Twitter user has yet reported receiving such emails, but some are being forced to choose a new password. The company also published a security advisory on its site.

Twitter doesn't see this as a big security issue, arguing that its systems were never breached and that only a handful of employees might have seen the exposed passwords.

"Our investigation shows no indication of breach or misuse by anyone," Twitter said.

UPDATE [May 4, 2018]: A Twitter spokesperson told us today via email that the incident is not related in any way to the GitHub issue. A GitHub employee also confirmed to Ars Technica the two incidents have nothing to do with each other, the GitHub issue being caused by an anti-spam system, not the password hashing mechanism cited by Twitter.

Related Articles:

GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs

Google Chrome Has a Built-In Password Generator. Here's how to use it!

Smarter People Don’t Have Better Passwords, Study Finds

ADL Estimates 4.2 Million Anti-Semitic Tweets Were Posted in a One-Year Period

PDF Files Can Be Abused to Steal Windows Credentials