A bug that affected Twitter’s password recovery systems for about 24 hours last week is believed to have exposed the e-mail addresses and phone numbers of about 10,000 users, the company said yesterday in a blog post. Twitter said it “immediately fixed” the problem after it was identified, and will be working with law enforcement authorities “as appropriate.”
The company did not respond to our request for more details about how the bug was identified or its ongoing investigation. However, all the affected account holders have been notified, and the bug did not expose users’ passwords or other information that could allow unauthorized account access, according to the Twitter blog update.
Although it affected only a small number of Twitter’s 320 million monthly active users, the issue “serves as a reminder to us all about the importance of good account security hygiene,” said Twitter’s trust and security officer Michael Coates in the post.
Investigation Is Pending
In addition to relaying an apology from the company, Coates noted that Twitter is working with law enforcement to “conduct a thorough investigation and bring charges as warranted.” He added that the company will also permanently suspend any users found to have exploited the bug while it was active to gain unauthorized access to the account information of other users.
Twitter users can help to protect their account information by using two-factor authentication and strong passwords with at least 10 characters, including uppercase and lowercase letters, numbers and symbols, Coates said. Users should also check their settings to revoke access privileges for any third-party applications they don’t recognize and require e-mail addresses and mobile phone numbers for password resets, he said.
In a recent commentary on Medium, Coates said that the Internet should be protected by a “basic set of user rights” recognized by both tech companies and regulatory agencies. “Users should not have to petition companies to implement security or fix egregious vulnerabilities,” he said. “The protection of sensitive user data should be backed by regulation that has teeth.”
‘The Password Is Broken’
Poor password management and single-factor authentication are helping to create “the potential for widespread security incidents due to data breaches and other issues in today’s threat landscape,” according to a study commissioned last year by the mobile identity company TeleSign. The report found that 68 percent of consumers surveyed “want companies to provide an extra layer of security” beyond passwords.
“Issues like what occurred with Twitter’s password recovery this week are a daily occurrence,” TeleSign senior vice president of marketing Brian Czarny told us via e-mail. “What we know is, the password is broken. Thankfully many forward-thinking companies, like Twitter, have put measures in place that add additional layers of security to protect user accounts, such as their ‘login verification,’ sometimes called two-factor authentication or 2FA.”
TeleSign recently launched an online resource — www.turnon2fa.com — to help people better understand two-factor authentication because education is key, he said.