Twitter has told its 336 million users to change their passwords after internally exposing them in plaintext following a hashing 'glitch'.
The warning was made overnight by the company's chief technology officer Parag Agrawal, and users have been urged to change their passwords as a matter of priority when logging-in today.
"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," Agrawal said in a blog post on Thursday.
Agrawal explained that although Twitter protocol is to use the Bcrypt hashing function to mask passwords, the bug caused plaintext passwords to be "written to an internal log before completing the hashing process".
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he added, noting that an investigation "shows no indication of breach or misuse" by anyone.
Twitter didn't reveal how many accounts were affected by the error, but Reuters reports that the number was "substantial" and that passwords were exposed for "several months". The report also claims that the bug was first uncovered a few weeks ago, but has only now been reported to "some regulators".
Following the discovery of the glitch, the company is advising all of its users to change their password on Twitter and on all services where they have used the same password "as a precaution".
Users have also been advised to turn on two-factor authentication, with Agrawal noting: "This is the single best action you can take to increase your account security."
GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.
The company admitted that while it normally stores user passwords using cryptographic hashes, the bug, which was recently introduced, resulted in the site's secure internal logs recording plaintext user passwords when the users initiated a password reset.
It's not yet known if the two incidents are related.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance