Twitter catches 24-hour bug: Brief password glitch potentially exposes user info

February 18, 2016

For approximately 24 hours last week, Twitter's password recovery systems contained a bug that could have potentially exposed the email addresses and phone numbers of about 10,000 active account-holders, the social networking giant acknowledged yesterday.

The company assured customers that it fixed the issue immediately upon discovery and that the problem did not expose passwords or any other information that could be used to directly access an account.

“We take these incidents very seriously, and we're sorry this occurred,” Twitter said in a blog post. “Any user that we find to have exploited the bug to access another account's information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”

The specifics of the bug were not revealed, but it's not necessarily surprising that resetting a password could result in accidental leakage of contact information. “When you reset your password on virtually any online service, the [new temporary] password is sent to an email address,” said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), told SCMagazine.com. As a result, website passwords and email addresses are often inextricably linked.

Kaiser praised Twitter's quick turnaround from discovering the glitch to administering a fix. “It seems like it was pretty fast, with only a small number of accounts affected, given the entire Twitter universe,” said Kaiser, noting that because the problem appears to be an “internal vulnerability” within Twitter, it was likely easier to fix than if the problem had required users to download a patch. As of Dec. 31, 2015, Twitter boasted 320 million monthly active users, per the company's website.

Twitter leveraged the incident as a teaching moment to remind users about the important of responsible password management. In its blog post, the company recommended login verification (aka multi-factor authentication), stronger passwords and revoking the access privileges of unrecognized third-party applications. The company said it has alerted all customers affected by the bug. SCMagazine.com's request for further details from Twitter went unanswered.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Twitter catches 24-hour bug: Brief password glitch potentially exposes user info

Related

Capita hack-related breaches reported by nearly 90 orgs

Why are 1.8M Apria patients just now being notified of a 2021 data breach?

Data breach confirmed by Luxottica after leak of over 70M customers’ records

Related Events

Stemming the rising tide of fraud with machine learning and AI

Part 2: Detection & Response Demo: Patrolling Every Packet & Process for Signs of Compromise

Part 1: The Telltale Signs of a Network Compromise: A Stage-by-Stage Attack Chronology

Get daily email updates