Twitter has urged its 336 million users to immediately change their passwords after the social media company discovered a bug in its password storage system exposed them in plain text in an internal log. The company said it discovered the flaw in an internal audit and has fixed the issue.
It added that there has been "no indication of breach or misuse" by any malicious actors. However, it has recommended users change their passwords out of an "abundance of caution", both on Twitter and any other site or service they may have used the same credentials.
According to Twitter, the company masks passwords using the bcrypt hashing function that replaced the passwords with a random string of numbers and letters that are stored in Twitter's system as internal logs. However, the bug caused the passwords to be written and stored as plain text in an internal log before completing the hashing process.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Twitter CTO Parag Agrawal wrote in a blog post. "We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
The company did not reveal how many users' passwords were potentially compromised or how long the bug exposed passwords before the bug was discovered and fixed. The disclosure ironically came on "World Password Day", which falls on the first Thursday of May.
"We are sharing this information to help people make an informed decision about their account security," Agrawal tweeted. "We didn't have to, but believe it's the right thing to do."
This disclosure also comes after GitHub made a similar announcement earlier this week, describing a similar incident. The company notified all affected users via email prompting them to reset their passwords. This string of data-related incidents further raises questions for lawmakers and regulators around the world over further scrutiny required for companies who hold vast volumes of user data.