If you use Twitter, you should change your password ASAP, and should also change your password on any other sites where you use the same one you use on Twitter, the social media site is advising users. In a May 3 tweet from the Twitter Support account, Twitter revealed it "recently found a bug that stored passwords unmasked in an internal log." The site clarified that the bug is fixed and it has "no indication of a breach or misuse by anyone," but still suggests users pick a new password as a precaution.
Jack Dorsey, Twitter's chief executive, tweeted from his own account saying he believes "it's important for us to be open about this internal defect." Parag Agrawal, Twitter's chief technology officer, also tweeted from his account about the incident, saying, "We are sharing this information to help people make an informed decision about their account security. We didn't have to, but I believe it's the right thing to do."
Agrawal later followed up his tweet with another, saying, "I should not have said we didn’t have to share. I have felt strongly that we should [share the information with users]."
Twitter did not publicly reveal how many passwords were affected or how long they were exposed, but according to Reuters, "[a] person familiar with the company's response said the number was 'substantial' and that they were exposed for 'several months.'"
The person also told Reuters that Twitter discovered the bug a few weeks ago and that it was reported it to some regulators. Reuters specified that the person was not authorized to discuss the leak publicly. A Twitter representative tells Bustle they can confirm that Twitter did report the exposure to some regulators, but "have no additional details to share on timing."
Twitter's decision to announce the internal leak is not a surprise given the increased awareness and concern about the safety of users' private and personal data on social media sites after data mining firm Cambridge Analytica allegedly scraped the data of more than 50 million Facebook users without their permission.
Security expert Graham Cluley told BBC News Twitter's response is a positive one. "It's quite encouraging that Twitter both found the problem internally, and informed its users quickly and transparently," he said. "Something similar just happened to [software development platform] Github and I wonder if Twitter's discovery was caused by them asking: 'Hey, see that Github problem? Do you think something like that could happen to us?'"
Whether or not you change your password is up to you. BuzzFeed pointed out that Twitter "referred to changing your password as a 'precaution' rather than an imperative," and that Agrawal called it a "decision" in his tweet, "rather than an obligation."
But as is the case with all password exposures and data leaks, it is definitely safest for you to go ahead and preemptively change your password — and don't forget that if you used the same password on Twitter as you do other sites and services, you'll need to change all of those too.
Of course, you can take this opportunity to beef up your password, which, while it may not protect you from exposures like this one, will be able to increase your accounts' general security. According to WIRED's list of ways to make your password as bulletproof as possible, you should "go long," making your password at least 12 to 15 characters long. WIRED says a long password is essential, and that length is actually far more protective than passwords that have at least one uppercase character, at least one lowercase, at least one numerical, and so on (and on, and on).
WIRED also says to stop using the same password across multiple accounts altogether, not to trust your browser to remember your passwords for you because "the underpinning security is often undocumented," and to make use of two-factor authentication, which can protect you even if someone does ask for your password, as you'll have to confirm the login through your phone or email before gaining access to your account.
You can turn on two-factor authentication for your Twitter account right now by going to Settings, then Account, and turning on login verification.