Twitter Inc. TWTR 0.54% on Thursday said it found a bug in how it stored user passwords that could have left them visible to people in its internal computer system.
Twitter urged its users to change their passwords, but said an investigation showed no indication of a breach.
“We are very sorry this happened,” Twitter’s chief technologist Parag Agrawal said in a blog post. Twitter’s disclosure came on Thursday, a day that corporations and some government officials observe as “World Password Day.”
More News
To protect users’ passwords, Twitter uses a common technology that masks passwords so that no one within Twitter can view them. The mistake Twitter identified on Thursday undid this layer of security protection.
The company uses a cryptographic technique to convert users’ passwords into a unique string of letters and characters, called a hash, which is stored on Twitter’s servers and used to authenticate login attempts.
But, due to the bug, Twitter ended up storing the passwords before this hashing process had been completed, meaning that they could have been stolen by a hacker or an insider with access to Twitter’s internal networks. Twitter didn’t say how many accounts were affected.
Previous security flaps at Twitter have been more serious. In 2016, Twitter notified millions of users that their accounts were at risk of being taken over after a database containing nearly 33 million purported usernames and passwords for Twitter accounts was made public.
Twitter users can change their passwords by going to the password settings page.
—Robert McMillan contributed to this article
Write to Georgia Wells at Georgia.Wells@wsj.com
Appeared in the May 4, 2018, print edition as 'Twitter Urges Password Resets.'