# Twitter in hot water after accidentally exposing 330 million users' password



## FAST6191 (May 3, 2018)

"We recently identified a bug that stored passwords unmasked in an internal log."

That is not a little bug/oversight. I don't imagine for a moment that every line of their pass hashing and salting code was not gone over 50 times by multiple groups. For this to happen in spite of that... were I in their security teams right now I would almost hope it was malice that put it there.


----------



## Zhongtiao1 (May 3, 2018)

I bet a couple of people are getting fired (or at least demoted) now.


----------



## KiiWii (May 3, 2018)

Changed mine in browser, but weirdly the app on ios didnt ask for updated password. 

I manually checked the password on the app and the old pass was still in there, so I updated it and reloaded the app and was logged in. 

Found that very odd.


----------



## DeslotlCL (May 3, 2018)

Fuck. It is the same password i use almost everywhere with my main accounts, fuck my luck i guess... had to move between sites to change every single one of them...


----------



## Sakitoshi (May 4, 2018)

so that's why the app just asked about my security, I just ignored it as I always do.
I'm not worried, I'm not important enough to have something valuable for someone else and my twitter account has my previous password anyways.


----------



## DarkFlare69 (May 4, 2018)

Fortunately I learned my lesson before and never use the same password on more than one site. My Twitter password is 24 random characters


----------



## Mr.Faq2015 (May 4, 2018)

This is one of those moments when I'm glad of not having a Twitter account...
inb4 Youtube has a "bug" that exposes all of your private videos, comments and your suscriptions/suscribers (and your password of course)

Sent from my 1DS with B9S using Discord Nitro


----------



## Deleted User (May 4, 2018)

This is why I don't use social media. Besides, what's the point of social media when you got GBAtemp?


----------



## linuxares (May 4, 2018)

DeslotlCL said:


> Fuck. It is the same password i use almost everywhere with my main accounts, fuck my luck i guess... had to move between sites to change every single one of them...


https://www.lastpass.com https://keepass.info   - Problem solved!


----------



## DeslotlCL (May 4, 2018)

linuxares said:


> https://www.lastpass.com https://keepass.info   - Problem solved!


I mean, i would be giving my password to another site which i have never heard about


----------



## RedoLane (May 4, 2018)

Damnit! now i'll need to change my password from "VirginBlasterXXX69" to something else!
(Don't try that. it's only a joke)


----------



## linuxares (May 4, 2018)

DeslotlCL said:


> I mean, i would be giving my password to another site which i have never heard about


You need to seriously learn about password managers asap. Keepass is local and Lastpass is online.


----------



## DeslotlCL (May 4, 2018)

linuxares said:


> You need to seriously learn about password managers asap. Keepass is local and Lastpass is online.


Need i? Im kinda paranoid with this kind stuff so i would prefer to save them on a notepad


----------



## linuxares (May 4, 2018)

DeslotlCL said:


> Need i? Im kinda paranoid with this kind stuff so i would prefer to save them on a notepad


Oh boy... Notepads are really insecure


----------



## filfat (May 4, 2018)

linuxares said:


> Oh boy... Notepads are really insecure


I mean if hes talking about a real life notepad, I could kinda see the argument.. provided it’s stored in safe or similar. I seriously doubt that he is though.


----------



## sarkwalvein (May 4, 2018)

How can so much incompetence...
I guess it costs too much money to hire people who know what they're doing.


----------



## gnmmarechal (May 4, 2018)

DeslotlCL said:


> Need i? Im kinda paranoid with this kind stuff so i would prefer to save them on a notepad


Uh.... That is *not* safer than keepass


----------



## WiiUBricker (May 4, 2018)

No need to hack my twitter or any social medias. I’ll give them out for free if someone wants


----------



## APartOfMe (May 4, 2018)

DeslotlCL said:


> I mean, i would be giving my password to another site which i have never heard about


LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.


----------



## DeslotlCL (May 4, 2018)

linuxares said:


> Oh boy... Notepads are really insecure


Providing that my phone is protected by a pin and also my finger print, i doubt someone could put his hand on them, and even then, i can remember my passwords just fine 


epickid37 said:


> LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.


Sounds nice and all, but idk... still thanks for the heads up.


----------



## yodamerlin (May 4, 2018)

With GitHub and Twitter falling for the same mistake of logging passwords, it wouldn't surprise me to see more over the next few weeks.

I think that the current state of authentication is not great, and password managers to me feel more like a hack on top of something not good that just adds friction to the far more easy solution of using the same password everywhere.

Browser based web authentication is something I look forward to.


----------



## VitaType (May 4, 2018)

FAST6191 said:


> "We recently identified a bug that stored passwords unmasked in an internal log."
> 
> That is not a little bug/oversight. I don't imagine for a moment that every line of their pass hashing and salting code was not gone over 50 times by multiple groups. For this to happen in spite of that... were I in their security teams right now I would almost hope it was malice that put it there.



It just says "internal log", possible that they did something like logging all data that get send by a post request to there server of course then including strings from the password fields.
Neverless it's straight up incompetence and it's hard to believe that such a large software company makes that kind of beginner mistakes. 



epickid37 said:


> LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. *Best of all, it syncs to the cloud*, so you can access your passwords on any device.


What's the obsession some people have with sending there passwords (if non-hashing encrypted or not) to other peoples computers if these computers aren't running exactly the service you use the password for?
It seems to be such a insane idea to me. You store all your passwords at one place on servers on the internet and all of them are encrypted with the same password! Not _that much_ different from just using the same password everywhere... Yes, yes, these password sites should have more knowledge as the weakest link in the selection of websites you use the same password elsewhere, but still.


----------



## Hells Malice (May 4, 2018)

FAST6191 said:


> were I in their security teams right now I would almost hope *it was malice* that put it there.



I assure you, it was not I.


----------



## KingVamp (May 4, 2018)

Titanica said:


> This is why I don't use social media. Besides, what's the point of social media when you got GBAtemp?


I'm pretty certain GBAtemp had a password leak too.


----------



## Seriel (May 4, 2018)

KingVamp said:


> I'm pretty certain GBAtemp had a password leak too.


No it didn't. The supposed "password leak" was actually "that iso site" having a password leak, and people sharing their password there with GBATemp.


----------



## sarkwalvein (May 4, 2018)

KingVamp said:


> I'm pretty certain GBAtemp had a password leak too.


Did it really?
I remember some time ago there was a leak of password from several sites, including e.g. ngemu.com
Many users had the same password on the temps, and it was brought to the Staff attention due to some hacked accounts, and this was the reason the whole site changed suggested a password change and added 2-step verification.

But the leak was not on the temps side.


----------



## KingVamp (May 4, 2018)

Seriel said:


> No it didn't. The supposed "password leak" was actually "that iso site" having a password leak, and people sharing their password there with GBATemp.


Forgot about that. I think I changed my password anyway, at the time.


----------



## Asia81 (May 4, 2018)

DarkFlare69 said:


> Fortunately I learned my lesson before and never use the same password on more than one site. My Twitter password is 24 random characters


Same, something like that


----------



## DarkFlare69 (May 4, 2018)

Asia81 said:


> Same, something like that


Yeah, pretty much


----------



## VitaType (May 4, 2018)

Titanica said:


> [...] I don't use social media. Besides, what's the point of social media when you got GBAtemp?


Lets take a look: blogs (including blogrolls), the ability to follow people and have follower (even called that way), a personal short message stream for every single user on there _profile_ page, status messages, the ability to add personal details to your profile such as birthday, country you life in, gender, occupation, a short personal text, ... and a PM system that even allows multiple users at once. At least there is nothing comparable to facebook groups (wonder what this "watch"-links above all this interest categories called forums make *click* Oh... nevermind)
If you don't like social media I fear I have really bad news for you: This software here is more of a social media software based on a forum software then just a forum software.

I agree general purpose social media such as facebook isn't great


----------



## MikaDubbz (May 4, 2018)

I'm surprised someone didn't swoop in, find Trump's account and just troll everyone.  That would be classic.


----------



## Viri (May 4, 2018)

MikaDubbz said:


> I'm surprised someone didn't swoop in, find Trump's account and just troll everyone.  That would be classic.


I would honestly be too scared to. I'm sure doing something like that would put me on some sort of list. I'm pretty sure it's not illegal(unsure), but, I don't think I'd wanna piss off the US gov like that.


----------



## Arras (May 4, 2018)

Viri said:


> I would honestly be too scared to. I'm sure doing something like that would put me on some sort of list. I'm pretty sure it's not illegal(unsure), but, I don't think I'd wanna piss off the US gov like that.


If his twitter counts as an official communication channel (and it probably does at this point), you'd probably get arrested real fast if you did that.


----------



## jt_1258 (May 4, 2018)

Fuck...well, I guess that's how some prick in Middleburg Hights Ohio got into my school's gaming club's twitter account yesterday


----------



## the_randomizer (May 4, 2018)

Gee, someone really screwed the pooch over at IT, sucks for them as they're gonna get fired.


----------



## sarkwalvein (May 4, 2018)

MikaDubbz said:


> I'm surprised someone didn't swoop in, find Trump's account and just troll everyone.  That would be classic.


That would be golden, really. Specially if the troll hacker starts mentioning topics and people that makes no sense for the president to mention... Oh wait, was the account hacked already?


----------



## DarthDub (May 4, 2018)

MikaDubbz said:


> I'm surprised someone didn't swoop in, find Trump's account and just troll everyone.  That would be classic.


You mean he doesn't already troll people?


----------



## kuwanger (May 4, 2018)

epickid37 said:


> LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.



Sounds great and all until (1) some website figures a way to spoof appearing to be a bunch of others and harvests your usernames/passwords or (2) there's some Twitter-like accident where your passwords or their hashes end up being in some log somewhere that's hacked.  Keepass looks better because (1) it's open source so you can verify the source (but you really have to do that and verify it to be safe) and (2) it's all local and only mirrored/used at your discretion.  Personally, I don't use Keepass because it sounds like a database and database corruption can mean losing many passwords.  It's the right idea, though, and reasonably safe if you regularly backup the database.

PS - IIRC gbatemp did have some issue where they were getting suspicious logins or something, so they encouraged people to change their password proactively.  There's a big difference between a website having suspicious logins, being hacked and leaking password hashes, and leaking actual passwords which may or may not have been hacked.


----------



## MarkDarkness (May 4, 2018)

Nowadays if people really changed their password every time a breach like this is announced, they'd need a password book to carry around, which defeats the purpose.

Nowadays it's either use a password manager/generator or not caring.


----------



## MewAndKirby (May 4, 2018)

twitter garbo anyways, but still sucks for those who got effected.


----------



## Deleted User (May 5, 2018)

Just looked up and can't even use OTP apps with twitter. The only OTP method is by giving them my phone number, which I'm not doing. Even Zucc allows OTP apps.


----------



## Seriel (May 5, 2018)

Sharinflan said:


> Just looked up and can't even use OTP apps with twitter. The only OTP method is by giving them my phone number, which I'm not doing. Even Zucc allows OTP apps.


I have Twitter on Authy, does it not let you do that without a phone number?


----------



## MasterJ360 (May 5, 2018)

Good thing my old password is guarded with verifications inorder to access. I'm on hot ends with websites screwing us over, Zetaboard is the worst when it comes to this


----------



## Jayro (May 5, 2018)

I use the same password for everything, and I really don't use my Twitter enough to care if it gets hacked. It's just used to shitpost Splatoon screenshots.


----------



## Pleng (May 5, 2018)

Jayro said:


> I use the same password for everything, and I really don't use my Twitter enough to care if it gets hacked. It's just used to shitpost Splatoon screenshots.



Um but if you use the same password for everything it's not just your Twitter that a potential hacker has access to; it's *everything*...


----------



## Deleted User (May 5, 2018)

Understandable, thanks twitter. Please collect more of my data while you are at it.


----------



## Deleted User (May 5, 2018)

WOW TWITTER!!! im so fucking scared im gonna get hacked now.!! i know im gonna be hacked because obviously im such an important person that someone will take the time out of there day to hack me!!!! all my funny tweets! my 4 followers that are all bot accounts!!! im gonna get hacked and now they're gonna get my other account s across the web too?! holy shit i better use one of those password generators that makes a 40 character long stream of random shit that I'll never remember and will have to copy and paste every time i long in and it's actually really annoying but i pretend it isn't and brag about how secure i am to everyone else


----------



## Mikemk (May 5, 2018)

Isn't this the company that said it's fine to store passwords plaintext as long as no one can get into the system?


----------



## MrJason005 (May 5, 2018)

Mikemk said:


> Isn't this the company that said it's fine to store passwords plaintext as long as no one can get into the system?


that was t-mobile austria


----------



## ieatyoshis (May 5, 2018)

Robfozz said:


> WOW TWITTER!!! im so fucking scared im gonna get hacked now.!! i know im gonna be hacked because obviously im such an important person that someone will take the time out of there day to hack me!!!! all my funny tweets! my 4 followers that are all bot accounts!!! im gonna get hacked and now they're gonna get my other account s across the web too?! holy shit i better use one of those password generators that makes a 40 character long stream of random shit that I'll never remember and will have to copy and paste every time i long in and it's actually really annoying but i pretend it isn't and brag about how secure i am to everyone else



Just so you don't spread information, password managers can automatically enter your password and login for you.

Also, they're less about protecting your useless twitter account, but more about protecting your bank account which, for 99% of people, uses the same password.


----------



## zacchi4k (May 5, 2018)

I changed my Twitter password literally just one week ago...


----------



## K3N1 (May 5, 2018)

Titanica said:


> This is why I don't use social media. Besides, what's the point of social media when you got GBAtemp?


Any website can theoretically have passwords stolen from users. Gbatemp uses a open source forum so if someone was really smart enough or Costello trusted the wrong guy your private information could still leak out. Not saying they can get hold of your passwords but some of your private information can be vulnerable on any social site is what I'm trying to say.


----------



## Deleted User (May 6, 2018)

Seriel said:


> I have Twitter on Authy, does it not let you do that without a phone number?


Probably not. If you go on Twitter settings page, the only 2FA method is by SMS. I wanted to use FreeOTP.


----------



## AdenTheThird (May 6, 2018)

filfat said:


> View attachment 122211​
> According to a mail twitter sent out they're the second victim in a recent spree of log-related password exposing bugs, however compared to Github, this affected all 330 million users.
> 
> In the email Twitter states:
> ...


Oof. I'm gonna stay off of social media for a while...

...Except GBATemp, of course!


----------



## Deleted member 420418 (May 8, 2018)

The question is why would they do that?


----------



## Deleted User (May 8, 2018)

Titanica said:


> This is why I don't use social media. Besides, what's the point of social media when you got GBAtemp?


1 word
Hentai
cuz its not allowed here


----------



## Deleted User (May 8, 2018)

Eix said:


> 1 word
> Hentai
> cuz its not allowed here


And mentioning websites that include pirated material, which doesn't make sense, since there's threads about hacking consoles, which is illegal too.


----------



## sarkwalvein (May 8, 2018)

Sharinflan said:


> And mentioning websites that include pirated material, which doesn't make sense, since there's threads about hacking consoles, which is illegal too.


Hacking consoles is not illegal, at least not in the fashion that they will take your site down through DMCA.
Actually hacking a console is not illegal, period.


----------



## Deleted User (May 8, 2018)

sarkwalvein said:


> Actually hacking a console is not illegal, period.


It is.
https://en.wikipedia.org/wiki/Anti-circumvention


----------



## sarkwalvein (May 8, 2018)

Sharinflan said:


> It is.
> https://en.wikipedia.org/wiki/Anti-circumvention


Not in an enforceable fashion, and that is what matters here.


----------



## Deleted User (May 8, 2018)

sarkwalvein said:


> Not in an enforceable fashion, and that is what matters here.


Doesn't make it less illegal, though.


----------



## sarkwalvein (May 8, 2018)

Sharinflan said:


> Doesn't make it less illegal, though.


Perhaps, but the point was why "can we talk about that and not provide links to sites providing ROMs", and the answer is nobody can convince a judge or perhaps nobody cares enough to enforce taking the site down due to talking about hacking, but put some link to ROMs and you'll get DMCA takedown notes within the minute.


----------

