Twitter urges all users to change passwords after glitch

I feel for those people who use one or two passwords for all their online services. Maybe a subtle reminder to rather use something like Lastpass if anyone isn't already
 
GitHub had a similar notification 3 days ago, luckily I'm using a password managers else my passwords would be getting leaked all over the place it seems nowadays ...

"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account.

GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way."
 
Meh. They can steal my twitter. All I do is rant at Citypower every other month
 
So so.

It's not even an external leak.

Only if you honestly believe this was not malicious on the part of an employee. Just think about it, WHY would any developer be logging whats entered in the password field? You have to be at the bottom of the dev rung to think thats acceptable. How much would you say Donald Trump's password is worth? Nah, oversight my bum.

Disgruntled internal employees are even worse.

This
What they didnt tell us is just how long this has been going on. At what point was this "feature" added...
 
Last edited:
Only if you honestly believe this was not malicious on the part of an employee. Just think about it, WHY would any developer be logging whats entered in the password field?
Doesn't seem that far fetched to me. e.g. Perhaps he/she was piping all fields of a query into a file & forgot that the password was one of them.

Your "why would anyone" question assumes that there a specific rationale behind it. Sht happens. E.g. Someone is hunting for a bug and temporarily adds more logging but forgets to remove it.

Lots of plausible scenarios that don't involve malice.

You have to be at the bottom of the dev rung to think thats acceptable.
You've never made a temporary change to code to track down an issue? Maybe commented out a piece of the code...that might even include some checks & balances?
 
Doesn't seem that far fetched to me. e.g. Perhaps he/she was piping all fields of a query into a file & forgot that the password was one of them.
Nah, a query would not reveal the password - the password is not stored in the DB anywhere as clarified by Twitter.

Your "why would anyone" question assumes that there a specific rationale behind it. Sht happens. E.g. Someone is hunting for a bug and temporarily adds more logging but forgets to remove it.
Junior grunts should not be working on or publishing to live. Code should be peer reviewed before publishing to live. This is a multi billion dollar company, not Joe's Garage coding shop.

Lots of plausible scenarios that don't involve malice.
IMO It's possible, not plausible. If it is then Twitter need to get their **itter together.


You've never made a temporary change to code to track down an issue? Maybe commented out a piece of the code...that might even include some checks & balances?
Sure, but it gets peer reviewed very carefully before publishing to live, especially if you are tracking input from the password field on the login page. There are very few times you're ever going to need to do that.
 
Last edited:
Surprised stuff like this still happens. Maybe i shouldn't be
 
Top
Sign up to the MyBroadband newsletter
X