Twitter has urged its 330 million users to change their passwords after it was revealed a bug had left some of them exposed.
The company's CTO, Parag Agrawal, said the company had recently “identified a bug that stored passwords unmasked in an internal log.”
“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” he said.
“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”
Twitter, Agrawal explained, uses a cryptographic hashing process to mask internally stored passwords, like most other networks.
The bug in question led to passwords being stored in an internal log before the hashing process was completed.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” continued Agrawal.
Parag’s statement did not make clear how many passwords were exposed or how long the glitch had been left unidentified, however Reuters reported that it was “substantial” and for “several months”.
The glitch comes as major companies continue to be put on notice when it comes to security, following recent Facebook, Uber and Equifax breaches.
After sharing the statement on his personal account, Agrawal tweeted “We are sharing this information to help… We didn’t have to, but believe it’s the right thing to do.”
While Agrawal is correct that Twitter did not “have to” share the details of the incident, upcoming regulations may soon change this.
On 25 May, the European Union’s General Data Protection Regulation (GDPR) will come into effect – helping to safeguard the data of all EU citizens.
The regulation applies to the data of EU citizens, no matter where in the world it is being kept.
Amongst other things, one significant change being introduced by GDPR is around the notification of data breaches.
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority,” the regulation states.
While the Twitter incident may not have been a data breach as such, the expectation will now be that companies are transparent when it comes to security issues.
