Twitter has advised all 336 million of its users to change their passwords following widespread social media panic over news that a bug was exposing their passwords.
Twitter assured users that the bug was fixed and there was "no indication of breach or misuse by anyone," but a pop-up window still appeared urging all users to change their passwords "out of an abundance of caution," The Verge reported.
Here are four things to know about the Twitter password panic:
1. Passwords are supposed to be masked in Twitter’s system: The company masks passwords through a process called hashing, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system, according to Twitter Chief Technology Officer Parag Agrawal. That way the social media platform can validate a user's account without revealing their password.
2. The bug interfered with how passwords were stored: Agrawal explained that, due to the error, passwords were being written to an internal log before the hashing process was completed, resulting in them being stored in plain text.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he assured in a statement.
3. It never should have happened, others say: Phil Libin, a startup founder and venture capitalist, said Twitter's misstep was "significantly worse" than a data breach, The Los Angeles Times reported.
"This kind of bug seems grossly negligent at best," Libin posted to Twitter.
"There's no reason for a plaintext password to ever be written to a file. It's not even the lazy way to code a password handler. It took effort to make this mistake."
He added that "a security researcher finding this kind of bug would be justified in suspecting malicious intent on the part of whoever wrote that code."
4. Twitter believes it didn’t have to inform its users of the breach: In an early tweet, Agrawal said that Twitter was sharing information about the bug "to help people make an informed decision about their account security" and not because there was any obligation to do so.
"We didn’t have to, but believe it’s the right thing to do," he said but, following widespread criticism, he later backpedaled on his initial comment and apologized to users.
© 2025 Newsmax. All rights reserved.