Twitter Inc. advised users to change their passwords after the company found a bug in its systems that exposed passwords in plain text internally.
The company said it removed the non-encrypted passwords from its system, and is working to avoid such an issue happening again.
An internal investigation “shows no indication of breach or misuse by anyone” and there’s “no reason to believe password information ever left Twitter’s systems or was misused by anyone,” the social-media
firm said. Still, the company advised users to change passwords for Twitter and other services with the same password. Online privacy scares are common nowadays. However, Twitter’s misstep is disturbing because there’s no reason for companies to store user passwords in plain text, even in internal files, according to Phil Libin, a startup founder.
“This is not a breach. It’s significantly worse,” Libin wrote on Twitter. “This kind of bug seems grossly negligent at best. There’s no reason for a plaintext password to ever be written to a file. It’s not even the lazy way to code a password handler. It took effort to make this mistake.”
Twitter CTO Parag Agrawal said the company didn’t have to disclose the bug but decided to share the information “to help people make an informed decision about their account security.”