Skip to content
Naked Security Naked Security

Twitter password recovery bug potentially exposed data of 10,000 users

Twitter says your passwords are safe and the bug's fixed, but you ARE using 2FA and a strong password, right?!

Last week, Twitter let about 10,000 users know that their personal data might have been exposed by a bug discovered in its password recovery system.

“Sorry!” Twitter said on Wednesday in a post that offered scant detail.

Scant detail, but plentiful urgings to go turn on login verification to make it much more difficult for hijackers to nab your account, to stop using limp passwords (here’s how to pick a decent one!), to yank access privileges of fishy-looking third-party apps you don’t recognize, to require additional information be entered in order to initiate a password reset, and to head over to the Twitter data dashboard to check up on your logins.

Michael Coates, Twitter’s Trust & Information Security officer, said the bug was ready to cause trouble for about 24 hours during the preceding week.

It was fixed “immediately,” he said.

But for those 24 hours, it had the potential to expose email addresses and phone numbers for a “small number” of accounts, Coates said: less than 10,000 active accounts.

Twitter notified the affected account holders on Wednesday, so if you didn’t get notified, you’re golden: you weren’t one of the people whose details may have been exposed.

Anybody who pried open that hole to get at another account’s information is going to be excommunicated, banned from the platform permanently.

Plus, Twitter’s ready to bring in the law if necessary to “conduct a thorough investigation and bring charges as warranted.”

So the math goes like this: There were only 10,000 possible victims: barely a fingernail scraping’s worth of Twitter’s estimated 305 million monthly active users.

That number could be smaller still if nobody exploited the bug – maybe as low as “zilch!”

That would be the best possible outcome, given the personal details at risk.

Or on second thoughts, the best possible outcome would be no bug to begin with. Even a small number of possible affected accounts is a SNAFU.

Good thing that Twitter fixed it ASAP!

Image of Twitter logo courtesy of tanuha2001 /

1 Comment

Unless I’m misreading, there’s nothing to indicate why this bug applied to a mere 10,000 users–unless they’re the same folks who used the password recovery option during the affected interim and therefore their info passed through the vulnerable code.

If that’s not it I’m curious about what made this group stand a fingernail scraping above the rest.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!