Twitter is urging all of its more than 330 million users to change their password - Immediately. It has come after the company found that a bug had caused its servers to store passwords in unmasked form. While internal investigations by Twitter didn't find evidence of any breach or misuse of the passwords, the company is still recommending that its users change their password out of precaution.
Normally, sensitive data like passwords are stored in servers in hashed form, using a random set of numbers and letters. Doing this prevents hackers from accessing passwords even if they manage to gain access to the server. However, in this instance, a bug in the Twitter servers caused passwords to be stored in plain text, without any hashing. Twitter, supposedly found the bug by itself and is confident that there hasn't been any misuse of the unprotected passwords. The company says there is “no reason to believe password information ever left Twitter’s systems or was misused by anyone.”
However, Twitter suggested that its users change their passwords “out of an abundance of caution.” The company also wants the users to change passwords of other third-party apps and sites authorised with their Twitter account.
Twitter hasn’t revealed how many users’ passwords may have potentially been compromised or how long the bug was exposing passwords before it was found and fixed. However, a source told Reuters that the number was “substantial” and the passwords were exposed for “several months.” Also, the fact that the company is urging its entire user base to change their passwords indicates some big security flaw in its servers.
This security flaw couldn't have come at any worse time for Twitter. Another social media giant, Facebook is still recovering from a wave of backlash, after it was revealed that it grants third-party apps and services certain access to user data without their consent. The European Union is also due to start enforcing a new privacy law, the General Data Protection Regulation (GDPR), later this month. So there's every possibility that Twitter would face a scrutiny in the near future due to the bug.
In the meantime, you're advised to change your passwords, and enable two-factor authentication. Also, consider using a password manager and avoid repeating passwords across services. This will definitely protect you from the worst of the damages when leaks like these happen.