Twitter Suggests You Change Your Password After They’re “Unmasked in an Internal Log”

Do you know your Twitter password by heart? That’s great, but the problem is there may be more people than you that know it as well. The social network has announced that stored passwords were “unmasked” by a bug in an internal log.

How does this affect your account? Does this mean someone else is now in possession of your password? What can you do to protect yourself moving forward? We’ll take a look at the situation in this article and what Twitter suggests you do to protect your account.

The Announcement

This bug was announced in the Twitter blog. To soften the blow, Twitter initially explained that they have every intention of keeping your password safe.


Twitter uses a technology that “masks” the password you set for your Twitter account. This ensures that no one at the social network can see it and is designed to keep your account secure.

We mask passwords through a process called hashing using a function known as bcrypt,” explained the blog, “which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

They found that with this bug passwords were written to an internal log before the hashing process was finished. After they found the error, they removed the passwords. They stress that it does not appear that the passwords were breached or misused at all. Yet, the folks at Twitter are working on making sure this never happens again.

Changing Your Password and More


Stressing that nothing seems to have been compromised, Twitter is doing everything to be sure it doesn’t happen again, and they want users to do the same. They suggest you take the following steps.

  • Change your password on Twitter itself and also on any other app or website where you used the same password.
  • Be sure to choose a strong password that is not used on other apps or websites.
  • Use two-factor authentication, also know as login verification. They believe it’s the best thing you can do to remain secure.
  • To be sure you’re using strong and unique passwords always and in all situations, use a password manager.

Wrapping Up

Twitter ends the blog saying, “We are very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day.

They seem to have done everything they could in this situation after they found the bug. There have been services in the past who had similar or worse compromises that didn’t have full disclosure, so that much is appreciated, that they not only took care of it but were honest with users once they found it instead of hiding it. They seem to be doing everything they can to fix it and to make sure users are protected better moving forward.

What are your thoughts on this? Will this change your use of Twitter in the future? Or are password compromises becoming so commonplace that it’s no big deal anymore? Let know what you think!

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. Your click-bait headline is misleading, untrue, misquoting… a lie. By deceitfully cutting-and-pasting a PART of a sentence, you completely change what they actually said.

    Twitter, in an “overabundance of caution” informed its users that our passwords are stored on their servers in an unsalted — i.e., “unmasked”– format. That is not the same as what your headline says. No one “unmasked” –i.e., maliciously revealed–

    Your credibilty is besmirched.

  2. I stand by my headline. It is not deceitful. It is not clickbait. I am not that type of writer. Yes, the passwords were “unmasked.” The blog that I referenced says, “Due to a bug, passwords were written to an internal log before completing the hashing process.” This means the passwords were still unmasked at the time they were written to the internal log as they didn’t complete the hashing process. Had they completed the hashing process, they would have been masked, but they didn’t. So they were “unmasked” in the internal log, and because of that, Twitter suggests that everyone reset their password. They do not believe the passwords were compromised in terms of nefarious people seeing them, but yes, they were in the internal log “unmasked.” That is the reason for the reference in my title, not because I was using it as ” clickbait,” and not because I am deceitful. I take my job very seriously.

Comments are closed.