“Twitter Breach” Another breach on the web. This time is different.
330 Million people urge to change their password.
Thursday, 3 May 2018
Twitter has confirmed that they found no sign of a
“data breach or misuse by anyone” during their investigation.
However, they did tell 330 million users to change their passwords.
Due to a bug discovered with password hashing.
More to come…
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.
Here's how to protect yourself.
Twitter could have forced all of its users to change their passwords to guarantee their security
To do just that for your own account, navigate to Settings and privacy > Password. Enter your current password and then pick a new one. And if you used your old Twitter password for any other accounts, you should change those, too.
You really should consider setting up two-factor authentication.
While you're at it, set up two-factor authentication for Twitter if you don't have it enabled already.
Go to Settings and privacy > Account. In the Security subsection, click on Review your login verification methods.
After entering your (newly revised) password to confirm that you want to make changes, you'll land on a Login verification screen.
Here you can set things up so you receive second-factor codes via SMS or, preferably, using a code-generating app like Google Authenticator or Authy.
The problem Twitter announced today is exactly the type of situation where two-factor is helpful—even if your Twitter password was compromised while it was exposed in the internal log, two-factor would keep a bad actor from using that information alone to access your account.