Why you should change your Twitter and GitHub passwords now

Android Police

By Killian Bell

Published May 4, 2018

It’s time to update your Twitter and GitHub passwords. Both services have confirmed that usernames and passwords were saved unmasked in plain text in internal logs. This is not a security breach, but users are advised to create a new password as a precautionary measure.

When you create an account for an online service, your login credentials should be masked using a process called hashing so that no one — not even employees at that service — can see your password. This ensures that your account is safe, even if internal systems are breached and the data makes its way into the wrong hands. But Twitter and GitHub have slipped up by inadvertently storing passwords in plain text.

“We recently identified a bug that stored passwords unmasked in an internal log,” Twitter confirmed in a post on its blog this week. “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.” A similar issue recently happened at GitHub, which, like Twitter, blamed a bug for storing some users’ passwords in plain text — also in an internal log.

Both companies insist that there has been no data breach, or any indication that passwords were accessed by employees, other users, or the public. Nevertheless, users are being advised to change their passwords as a precautionary measure. And if you use the same password somewhere else, you should change that one, too, just to be safe.

When creating passwords, it’s a good idea to use a password manager, such as Dashlane, which can generate a super-secure string from random letters and numbers that cannot be easily cracked or guessed. A password manager can then hold onto the login details for you, ensuring you never forget your password for another website again.

It is also recommended that you use two-factor authentication wherever possible. Even if someone somehow gets hold of your username and password, they will be unable to login to your account without completing a second authorization step. This usually involves entering a code sent to you in a text message.

Source: Twitter, Bleeping Computer