For approximately 24 hours last week, Twitter's password recovery systems contained a bug that could have potentially exposed the email addresses and phone numbers of about 10,000 active account-holders, the social networking giant acknowledged on Wednesday.
The company assured customers that it had fixed the issue immediately upon discovery and that the problem did not expose passwords or any other information that could be used to directly access an account.
“We take these incidents very seriously, and we're sorry this occurred,” Twitter said in a blog post. “Any user that we find to have exploited the bug to access another account's information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”
The specifics of the bug were not revealed, but it's not necessarily surprising that resetting a password could result in accidental leakage of contact information. “When you reset your password on virtually any online service, the [new temporary] password is sent to an email address,” said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), told SCMagazine.com. As a result, website passwords and email addresses are often inextricably linked.
Kaiser praised Twitter's quick turnaround from discovering the glitch to administering a fix. “It seems like it was pretty fast, with only a small number of accounts affected, given the entire Twitter universe,” said Kaiser, noting that because the problem appears to be an “internal vulnerability” within Twitter, it was likely easier to fix than if the problem had required users to download a patch. As of 31 December 2015, Twitter boasted 320 million monthly active users, per the company's website.
Twitter leveraged the incident as a teaching moment to remind users about the important of responsible password management. In its blog post, the company recommended login verification (aka multi-factor authentication), stronger passwords and revoking the access privileges of unrecognised third-party applications. The company said it has alerted all customers affected by the bug. SC request for further details from Twitter went unanswered.