Twitter has announced a big issue. There is a bug that allows users passwords to be stored internally without being masked. When things are working correctly, Twitter stores hashed passwords, turning them into random letters and numbers so that no one at the company can see what any user password happens to be. But a bug has caused passwords to be stored within an internal log – before the hashing process is complete. Twitter says that it spotted the problem itself and fixed it. But while it claims there has been no evidence that the passwords were misused or that they left the company’s systems, Twitter is recommending that everyone change their passwords just to be safe.
What I really like about Twitter’s approach to this is that they’re not just relying on the media and social media to get the message out there, they are notifying you themselves. If you log into your Twitter account, you will receive a notification telling you about this issue and urging you to change your password.
But is this whole password thing a big issue for Twitter? The company says there’s been no indication of a security breach tied to the log that contained those login credentials, but we do need to take this seriously. It is 2018, but that doesn’t mean we’re safe. Far from it. You need to change your password — on Twitter and with any other account where you might’ve repeated that password — and secure your Twitter account immediately. The full scope of what happened here isn’t yet clear (or how many users were directly affected), but there’s no downside to taking immediate action.
While changing your password is going to give you a certain level of protection, you should also consider two-factor authentication. Two-factor authentication can either send a code to your mobile phone number whenever a new device attempts to sign into your account with an incorrect password – or you can generate your own code within a third-party app made for this specific process. Authy, for example. In some ways, this is actually a safer approach, since SMS can also be compromised. I mean, what can’t?
Turning on two-factor authentication is actually quite easy. If you’re using the web:
- Click your profile icon, then click Settings and privacy.
- Choose Account and then Set up login verification. On mobile, there’s an extra step here where you’ll have to tap on the Security section inside Settings and privacy.
- Read the overview instructions, then click Start.
- Enter your password and click Verify.
- Click Send code to add your phone number if that’s the verification method you want.
- Enter the verification code sent to your phone, hit Submit, and login verification will then be enabled.
I actually think that Twitter is being extremely proactive with this possible breach. Unlike some companies that we know of. I realize that this isn’t “good news” for Twitter, but I would still like to commend them for how they’re operating at least. Instead of leaving users in the dark, they are being very upfront and honest about what’s happening and what you can do to protect ourselves. And honestly, in 2018, I feel like that’s all we can ask.