A Twitter security breach has hit 330 million users. Time to change your password.
Go change your Twitter password already!
The social media site is warning every one of its more than 330 million users to update their passwords after discovering it was inadvertently keeping them in an internal log before encrypting them to be stored in the system.
“We recently found a bug that stored passwords unmasked in an internal log,” its official account tweeted early on Friday. “We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password.” Twitter CEO, Jack Dorsey called the bug an “internal defect” and repeated that they’ve seen “no indication of breach or misuse.”
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
It’s better to be safe than sorry, so change your Twitter login by going to password settings. Consider enabling login verification, also known as two factor authentication, which means you’ll have to enter a password as well as a code sent to your mobile phone when signing in. And if you’ve been using this same password on other sites, you should change those, too.
But be smart about it. Too many people are still banking their online security with “123456” and “password,” according to SplashData’s most recent “100 Worst Passwords of the Year” report, which drew data from 5 million users’ leaked passwords in North America and Western Europe over the past year.
And the repeated personal information leaks being reported by apps and online retailers is a sobering reminder that cybersecurity is an ever bigger threat.
In March, MyFitnessPal’s 150 million users learned that a security breach parent company Under Armour exposed their email addresses, usernames and passwords. While the leaked data didn’t include either government-issued personal information such as Social Security and driver’s license numbers (as those are not collected by the company) or payment information (because that is collected and processed separately), the leaked email addresses, usernames and passwords — especially if you use them to sign into other apps, or for shopping, banking and credit card sites — can still put your money and personal data at risk.
MyFitnessPal notified users in an email that: They will be requiring everyone to change their passwords; they are coordinating with law enforcement and continuing to monitor suspicious activity; and they are going to update their systems to prevent this from happening again. The app also recommended that users:
- Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
- Avoid clicking on links or downloading attachments from suspicious emails.
And in picking new passwords, avoid these top 20 worst offenders from SplashData’s list:
Honorable mentions go to “whatever” (#23), “trustno1 (#25), “blahblah” (#47) and “biteme” (#91.)
And this is just the latest in a series of hacks — a recurring problem that underscores how important strong passwords are to protecting your personal information. In October 2017, Yahoo announced that three billion accounts were hacked in the massive 2013 breach, which is every account that existed at that time, including email, Tumblr, Fantasy and Flickr. Equifax, one of the three major credit reporting agencies in the U.S., revealed last year that the Social Security numbers, birth dates, addresses, driver’s license numbers and credit card information of potentially 143 million U.S. consumers may have been accessed by cybercriminals. And 1 billion Gmail users were attacked by a sophisticated phishing scam last year that sent fake Google Docs to users which, if opened, granted access to managing their emails and their contacts. (If you clicked it, take these five steps immediately.)
Luckily, there’s a tool that can show you how strong your current password is. Researchers from Carnegie Mellon University and the University of Chicago released a state-of-the-art password meter that gives you instant feedback on how strong your password is, before advising on how you can make it even stronger.
The study and the password tool were presented at the CHI 2017 conference in Denver, and a demo of the meter can be tried here.
“Instead of just having a meter say, ‘Your password is bad,’ we thought it would be useful for the meter to say, ‘Here’s why it’s bad and here’s how you could do better,'” said Carnegie Mellon professor Nicolas Christin, a co-author of the study in a statement.
Many of us are still clueless about locking down our logins. In fact, 15.4 million Americans were hacked last year because of weak passwords or clicking on links that spread computer viruses, according to Javelin Strategy and Research.
Security experts suggest changing your password and activating a two-step authentication process to protect yourself, like with Twitter – but if you’re using the same passwords across different sites, or tapping the same tricks everyone uses (swapping your O’s for zeroes, anyone?), you’re not making your digital identity any safer.
“The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords,” said Blase Ur, a lead author on the study behind the new password meter. “If you change Es to 3s in your password, that’s not going to fool an attacker. The meter will explain about how prevalent that substitution is and offer advice on what to do instead.”
If you suspect your financial data may have been compromised, it’s important to check all of your financial accounts and keep an eye out for suspicious activity; if you see something, report it immediately. You should also check your credit report (you get a free one from each of the three credit reporting agencies each year) and place fraud alerts on them. Click here for more security tips.
This article was originally posted in 2017, and has been updated.
© 2018 Dow Jones & Company, Inc. All Rights Reserved