Twitter Inc. is advising all users to change their passwords, saying it found a bug in its systems that exposed passwords in plain text internally.
The company said it removed the non-encrypted passwords from its system and is working to avoid such an issue happening again. An internal investigation "shows no indication of breach or misuse by anyone" and there's "no reason to believe password information ever left Twitter's systems or was misused by anyone," the social-media firm said.
Still, the company advised users to change passwords for Twitter and other services with the same password.
Online privacy scares are common nowadays. However, Twitter's misstep is disturbing because there's no reason for companies to store user passwords in plain text, even in internal files, said Phil Libin, a startup founder and venture capitalist.
"This is not a breach. It's significantly worse," Libin tweeted. "… This kind of bug seems grossly negligent at best. There's no reason for a plaintext password to ever be written to a file. It's not even the lazy way to code a password handler. It took effort to make this mistake."
Twitter Chief Technology Officer Parag Agrawal said the company didn't have to disclose the bug but decided to share the information "to help people make an informed decision about their account security."
After being criticized by Twitter users, Agrawal backpedaled. "I should not have said we didn't have to share. I have felt strongly that we should. My mistake," he tweeted.
Twitter shares fell 1.2% in extended trading following the news. In regular trading, the stock edged up 0.4% to $30.67 a share.
6:45 p.m.: This article was updated with comments from Phil Libin and Parag Agrawal.