SAN FRANCISCO — At a time when “another day, another data breach” seems like the status quo, Twitter is receiving praise after it revealed that as many as 336 million passwords had been improperly stored.
What makes this disclosure different, security experts told NBC News, is how Twitter’s team reacted after it was discovered that some passwords were stored in plain text on Twitter’s servers due to an internal bug.
After the problem was fixed, and Twitter’s security team was able to determine that it was unlikely that the passwords had been leaked or misused, the company could have considered the case closed, according to some security experts. But Twitter decided to tell on themselves and sent users a full screen alert when they logged in, letting them know what happened and how to change their passwords.
“I wish every other organization would take a big lesson from this and be as forthright, quick, open and honest,” Bob Rudis, chief data scientist at Rapid7, a threat intelligence firm, said. “They did everything right, and it is pretty impressive to see.”
In fact, Rudis said he was “elated” when he read the news, an emotion rarely, if ever, associated with a massive bug disclosure.
The speed with which cybersecurity issues are disclosed has become a central issue as consumers and politicians put more pressure on companies to admit their mistakes in a timely manner.
The discovery of the bug — and its disclosure — comes as companies are gearing up for Europe’s strict new privacy regulations, called GDPR, which take effect May 25 and require companies to quickly report data breaches.
While Twitter’s password issue was not technically a breach, CEO Jack Dorsey said in a tweet that “it’s important for us to be open about this internal defect.”
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00
— jack (@jack) May 3, 2018
In this instance, an unknown number of passwords were stored in plain text on Twitter’s systems instead of in their usual hashed form, which encrypts the passwords so that even Twitter personnel can’t use them.
Hashing, a process that converts passwords into a string of random letters and numbers, is the industry standard. Each unique string of letters and numbers is then stored on Twitter’s server.
When a user logs in, their password is turned into that unique combination of letters and numbers and compared with what’s on Twitter’s system. If the key matches the lock, they’re let in.
There are hundreds — nay, thousands — of orgs… big names… financial services… hospitality… etc. — where this occurs and is swept under a rug, then concreted over… daily… weekly… monthly. An honest mea cupla is so refreshing, esp at this scale & high visibility.
— hrbrmstr (@hrbrmstr) May 4, 2018
But there are still questions about how the password issue happened and when Twitter discovered the potential vulnerability.
Phil Libin, the former CEO of Evernote and co-founder and CEO of All Turtles, an artificial intelligence startup, tweeted that “from the information disclosed, this kind of bug seems grossly negligent at best.”
“There’s no reason for a plaintext password to ever be written to a file,” he wrote. “It’s not even the lazy way to code a password handler. It took effort to make this mistake.”
Thought Twitter was broadly praised, Parag Agrawal, its chief technology officer, apologized on Thursday after initially saying that Twitter “didn’t have to share” the details of the password issue.
But at the end of the day, Robert Siciliano, a security analyst with virtual private network provider Hotspot Shield, told NBC News that the disclosure amounts to “generally OK news” that users shouldn’t worry about, as long as they change their passwords.
Twitter was transparent and quick to communicate, and made it easy for people to change their passwords, he said.
“Changing passwords at least every year is a good thing anyway,” Siciliano said.