Twitter Inc. advised users to change their passwords after the company found a bug in its systems that exposed passwords in plain text internally.
The company said it removed the non-encrypted passwords from its system, and is working to avoid such an issue happening again. An internal investigation “shows no indication of breach or misuse by anyone” and there’s “no reason to believe password information ever left Twitter’s systems or was misused by anyone,” the social-media firm said.
Still, the company advised users to change passwords for Twitter and other services with the same password.
Online privacy scares are common nowadays. However, Twitter’s misstep is disturbing because there’s no reason for companies to store user passwords in plain text, even in internal files, according to Phil Libin, a startup founder and venture capitalist.
“This is not a breach. It’s significantly worse,” Libin wrote on Twitter. “This kind of bug seems grossly negligent at best. There’s no reason for a plaintext password to ever be written to a file. It’s not even the lazy way to code a password handler. It took effort to make this mistake.”
Twitter Chief Technology Officer Parag Agrawal said the company didn’t have to disclose the bug but decided to share the information “to help people make an informed decision about their account security.”
After being criticized by Twitter users, Agrawal backtracked. “I should not have said we didn’t have to share. I have felt strongly that we should. My mistake,” he tweeted.
Twitter shares fell 1.2 percent in extended trading following the news. The stock closed at $30.67 earlier in New York.