Twitter bug exposes passwords of all 336 million users

World Password Day may be a (silly) made-up day that no one was aware of before, but all 336 million Twitter users will find it hard to forget after all passwords for the service were put at risk.

According to the company's CTO Parag Agrawal, a Twitter bug was discovered that stored the passwords of all users in plaintext in an internal log. Agrawal asserted in a blog post that the Twitter bug was fixed and there was "no indication of breach or misuse by anyone."

Agrawal's initial tweet about the Twitter bug caused a bit of controversy, though.

We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://t.co/yVKOqnlITA

— Parag Agrawal (@paraga) May 3, 2018

Agrawal later walked back the comment and said he "strongly felt [the company] should share" information about the issue.

Following the announcement, a prompt was set to show when a user returned to Twitter and push each user to changing their password. Unfortunately, many users ran into errors when attempting to change passwords.

Something is massively wrong with #Twitter right now. Error screens when trying to confirm an email address or reset a PW, as they suggest. Another one of my accounts was also hacked today at 2:57pm. #TwitterPassword @Twitter pic.twitter.com/tgQ8WhuuL9

— Nadia P. (@DomainSushi) May 3, 2018

Some users also noted that changing a Twitter password does not necessarily revoke the OAuth token for all devices that were previously logged in and this behavior was reproduced by SearchSecurity. In May, a phishing attack against Google Docs caused Google to change its policy regarding OAuth tokens.

Mark Gill, an independent information security consultant and trainer, said this was a common problem with OAuth implementations.

Basically ‘trust device once’ can equal ‘trust device forever’. Even bigger problem is that so many smaller companies decide to use OAuth on the assumption ‘it must be safe because Google/Twitter etc use it’ without considering their use case vs threat model

— Marquis (@MarquisO) May 4, 2018

Ilia Kolochenko, CEO of web security company High-Tech Bridge, wondered exactly how many passwords were stored in plaintext and for how long the Twitter bug persisted.

"Twitter's end-user notification about the incident is laudable; however, for whatever reason, Twitter omitted these vital details," Kolochenko told SearchSecurity. "Assuming that no breach was detected and nobody in the company had access to this internal log, Twitter could just securely delete the log and fix the problem. A prompt notification to all users may potentially indicate a certain degree of uncertainty about the integrity of the passwords."

Ambuj Kumar, co-founder and CEO of Fortanix, added that it would not be uncommon for Twitter to have duplicate copies of the affected log.

"Many organizations use backup systems and create various copies of the same files on multiple hard drives and systems. The question is: Has Twitter removed all the copies from all the systems, or is there a copy on some internal system that will show up many years from now when people may have forgotten about this incident?" Kumar asked. "As a user, we should change our passwords not just on Twitter, but also on any other services where the same password was used. As a security industry, we should set higher standards for securing sensitive information such as passwords."

Twitter did not respond to requests for comment at the time of this post.