View profile

Twitter makes everyone change their password

Revue
 
After spending the past two months in the angry-media spotlight, Facebook finally caught a breather o
 
May 3 · Issue #129 · View online
The Interface
After spending the past two months in the angry-media spotlight, Facebook finally caught a breather on Thursday, as another social media elbowed its way to the front of the news cycle with a gobsmacking mistake of its own. It was Twitter, of course. Here’s my colleague Chaim Gartenberg:
Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. While Twitter’s investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their Twitter passwords out of an “abundance of caution,” both on the site itself and anywhere else they may have used that password, which includes third-party apps like Twitterrific and TweetDeck.
According to Twitter, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process. Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again.
Now, just because the passwords were available to read in plain text doesn’t mean anyone saw them. The internal log was apparently viewable only to some unknown subset of Twitter employees, and so far there’s no evidence anyone misused it. 
But the company turned what should have been a trust-building disclosure into a public-relations problem. Twitter’s chief technical officer, Parag Agrawal, tweeted: “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.” 
As I said at the time, “We didn’t have to tell you” that 330 million passwords were available to read in plain text is a hell of a take from the CTO. Especially when the company is also telling 330 million people to change their passwords in response. It’s somewhat akin to a firefighter telling you that, while he didn’t have to remove the smoldering pile of oily rags from your basement, it was the right thing to do. Not wrong, exactly, but not confidence-building either.
Agrawal soon reversed course. ”I should not have said we didn’t have to share,“ he tweeted. ”I have felt strongly that we should. My mistake.“
It was another Twitter user felled by the deeply relatable urge to say something in response to current events, even if they were better off letting someone else do the talking. I believe Agrawal meant well, but today he learned Twitter’s most fundamental lesson — never tweet — the hard way. 

Democracy
Twitter approved an ad pretending to be Twitter.
What the life and death of Cambridge Analytica tells us about politics — and ourselves
Chris Cox interviews Kofi Annan about social media and democracy
Facebook’s Double Standard on Privacy: Employees Vs. the Rest of Us
Facebook’s Future Is Dogged by Its Recent History
Facebook Placed An Employee Who Harvested User Data For Cambridge Analytica On Leave
Elsewhere
Facebook May Have Secret Plans to Build a Satellite-Based Internet
Facebook’s dating service is a chance to meet the catfisher, advertiser or scammer of your dreams - The Washington Post
Facebook Hid Unreleased Features in Its AR Scavenger Hunt at F8
Google Wunderkind Is Building a Secret Social-Gaming Startup
Telegram Messaging App Scraps Plans for Public Coin Offering
Launches
Instagram quietly launches payments for commerce
Takes
Facebook Wants to Connect Users But Neglects How It Makes Money
A Nutrition Label for Internet Privacy. And Apple Should Lead the Way.
And finally ...
Romance Scam Victims Say Facebook Dating Is A Train Wreck In The Making
Talk to me
Questions? Comments? Twitter passwords? casey@theverge.com
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue