Breach, Data Security, Network Security, Vulnerability Management

Twitter catches 24-hour bug: Brief password glitch potentially exposes user info

For approximately 24 hours last week, Twitter's password recovery systems contained a bug that could have potentially exposed the email addresses and phone numbers of about 10,000 active account-holders, the social networking giant acknowledged yesterday.

The company assured customers that it fixed the issue immediately upon discovery and that the problem did not expose passwords or any other information that could be used to directly access an account.

“We take these incidents very seriously, and we're sorry this occurred,” Twitter said in a blog post. “Any user that we find to have exploited the bug to access another account's information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”

The specifics of the bug were not revealed, but it's not necessarily surprising that resetting a password could result in accidental leakage of contact information. “When you reset your password on virtually any online service, the [new temporary] password is sent to an email address,” said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), told SCMagazine.com. As a result, website passwords and email addresses are often inextricably linked.

Kaiser praised Twitter's quick turnaround from discovering the glitch to administering a fix. “It seems like it was pretty fast, with only a small number of accounts affected, given the entire Twitter universe,” said Kaiser, noting that because the problem appears to be an “internal vulnerability” within Twitter, it was likely easier to fix than if the problem had required users to download a patch. As of Dec. 31, 2015, Twitter boasted 320 million monthly active users, per the company's website.

Twitter leveraged the incident as a teaching moment to remind users about the important of responsible password management. In its blog post, the company recommended login verification (aka multi-factor authentication), stronger passwords and revoking the access privileges of unrecognized third-party applications. The company said it has alerted all customers affected by the bug. SCMagazine.com's request for further details from Twitter went unanswered.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.