Twitter recommended on Thursday that all of its 336 million users change their passwords after it discovered a bug that internally stored the passwords in an unprotected manner.
Parag Agrawal, Twitter’s chief technology officer, said in a blog post that Twitter has fixed the issue and that there were no signs that anyone had breached or misused the passwords. Still, the company suggested that users consider changing their passwords on other devices or services if they used the same password as they had on Twitter.
Normally, Twitter protects passwords through a process called hashing, in which it replaces the actual characters of a password with random letters and numbers. The bug allowed passwords to be kept in an “internal log” without hashing so they were stored in their readable text format.
The company is presenting users with a pop-up window that includes a message about the bug and a link to their Settings page where they can change the password.
Twitter’s CEO Jack Dorsey tweeted that he believes “it’s important for us to be open about this internal defect.”
Agrawal also took to Twitter to talk about the issue, first saying “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.”
But when he received criticism for saying the company didn’t have to tell users about the bug, he followed up with another apology.
“I should not have said we didn’t have to share. I have felt strongly that we should. My mistake,” he tweeted.