Twitter recommended on Thursday that all of its 336 million users change their passwords after it discovered a bug that internally stored the passwords in an unprotected manner.
Parag Agrawal, Twitter’s chief technology officer, said in a blog post that Twitter has fixed the issue and that there were no signs that anyone had breached or misused the passwords. Still, the company suggested that users consider changing their passwords on other devices or services if they used the same password as they had on Twitter.
Normally, Twitter protects passwords through a process called hashing, in which it replaces the actual characters of a password with random letters and numbers. The bug allowed passwords to be kept in an “internal log” without hashing so they were stored in their readable text format.
The company is presenting users with a pop-up window that includes a message about the bug and a link to their Settings page where they can change the password.
Twitter’s CEO Jack Dorsey tweeted that he believes “it’s important for us to be open about this internal defect.”
Agrawal also took to Twitter to talk about the issue, first saying “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.”
But when he received criticism for saying the company didn’t have to tell users about the bug, he followed up with another apology.
“I should not have said we didn’t have to share. I have felt strongly that we should. My mistake,” he tweeted.
More Must-Reads from TIME
- How Donald Trump Won
- The Best Inventions of 2024
- Why Sleep Is the Key to Living Longer
- How to Break 8 Toxic Communication Habits
- Nicola Coughlan Bet on Herself—And Won
- What It’s Like to Have Long COVID As a Kid
- 22 Essential Works of Indigenous Cinema
- Meet TIME's Newest Class of Next Generation Leaders
Write to Abigail Abrams at abigail.abrams@time.com