Fixing a recent password recovery issue

By ‎@_mwc‎
Wednesday, 17 February 2016

We recently learned about — and immediately fixed — a bug that affected our password recovery systems for about 24 hours last week. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected.

We take these incidents very seriously, and we’re sorry this occurred. Any user that we find to have exploited the bug to access another account’s information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.

While this issue did not expose passwords or information that could be used directly to access an account, it serves as a reminder to us all about the importance of good account security hygiene. Some suggestions:

  • Require additional information be entered in order to initiate a password reset. This feature will require that you enter your account email address or mobile number, in addition to your username, in order to send a password reset email or SMS/text.
  • Be sure to use a strong password – at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.
  • Consider using login verification. Instead of relying on just a password, login verification introduces a second check to make sure that you and only you can access your Twitter account.
  • Check the Applications tab at http://twitter.com/settings/applications and revoke the access privileges of any third party applications that you do not recognize.
  • If you’d like to review logins for your account you can do that at the Twitter data dashboard in your settings.

For more information about making your Twitter and other Internet accounts more secure, read our Help Center and the FTC’s guide on passwords.