Dear Twitter: masked passwords are not the same as hashed passwords. Please refrain from storing them in any recoverable form.
Posted by jpluimers on 2018/05/04
Apparently Twitter not only logged plain text passwords, but they handle them in a masked form:
Keeping your account secure
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. Learn more
This seems to imply passwords are not hashed, but can be recovered into plain text.
Please Twitter, ensure that passwords are never recoverable.
Note: after changing your password at https://twitter.com/settings/password visit https://twitter.com/settings/applications
–jeroen
Leave a Reply