Twitter logo

Following an internal audit, Twitter admitted today that due to a bug in its password storage mechanism it accidentally logged some users' passwords in internal logs.

Today's disclosure comes after GitHub made a similar announcement earlier this week, describing a similar incident.

Just like in the GitHub incident, the passwords were recorded in Twitter's internal server logs in their plaintext format.

Bug wrote plaintext passwords to log files

Twitter said it normally masks passwords by passing them through the bcrypt hashing function, considered an industry standard among top tech giants.

"Due to a bug, passwords were written to an internal log before completing the hashing process," a Twitter spokesperson said. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

Bleeping Computer has reached out to Twitter to inquire about the number of affected users, but the social network did not respond before this article's publication.

Twitter lets users to decide if to change passwords or not

When this happened on GitHub, the code repository portal sent out emails to all affected customers and forcibly reset passwords for all affected users.

No Twitter user has yet reported receiving such emails, but some are being forced to choose a new password. The company also published a security advisory on its site.

Twitter doesn't see this as a big security issue, arguing that its systems were never breached and that only a handful of employees might have seen the exposed passwords.

"Our investigation shows no indication of breach or misuse by anyone," Twitter said.

UPDATE [May 4, 2018]: A Twitter spokesperson told us today via email that the incident is not related in any way to the GitHub issue. A GitHub employee also confirmed to Ars Technica the two incidents have nothing to do with each other, the GitHub issue being caused by an anti-spam system, not the password hashing mechanism cited by Twitter.

Related Articles:

Cryptojacking Campaign Employs Deleted GitHub Account and Unofficial GitHub CDN

Twitter Removes 143,000 Apps That Violated Company's Policy

Microsoft, Google, Facebook, Twitter Announce "Data Transfer Project"

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine