Thursday, Twitter began urging all 336 million of its users to change their passwords, following news that passwords had been erroneously stored in plaintext on an unencrypted log. Users logging in after Thursday are met with a pop-up urging them to change their passwords and explaining the situation. Jack Dorsey, Twitter CEO, expressed the need to be “open about this internal deficit.”
How Long Have They Known?
What is unknown, in spite of Twitter’s semi-transparency on the issue, is when this data mishandling was discovered, or for how long the data has been stored in this way. Typically, passwords are stored in logs using a technique called “hashing,” which is an encoding that replaces characters with other, random characters, thus rendering them as gibberish to someone without access to the encryption key. The log that Twitter disclosed the passwords were being stored on, however, were being stored in plain text.
Not a Breach
Twitter has been quick to point out that this was not a data breach, like the Target credit card debacle, nor did they have to inform anyone of this lapse in security. Twitters CTO, Parag Agrawal, tweeted: “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.”
Best Way to Handle This?
This news is unique, in that it was disclosed by Twitter, and as Agrawal so humbly observed, they didn’t have to inform the world of their mishandling of users’ passwords. However, had the news broken without an official word from Twitter, the news would have gone from “unusual blip” to “full blown security scandal,” so the choice to inform the public was surely a wise one.
No comments so far.
Be first to leave comment below.