Twitter Inc. is advising all of its 336 million users to change their passwords after the microblogging service uncovered a “hashing” bug that potentially exposed all user passwords,.

There’s no evidence so far of either hacking or malicious actors stealing the data.

Hashing describes a method that obscures passwords using various types of secure encryption, in this case bcrypt. For reasons not clear, Twitter user passwords were stored in plain text, according to Twitter Chief Technology Officer Parag Agrawal.

“We recently identified a bug that stored passwords unmasked in an internal log,” Agrawal wrote on the official Twitter blog. “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”

In an age where companies are often damned for not disclosing, or delaying disclosing potential data breaches, Twitter’s disclosure of a potential data breach that may actually not be data breach stands out.

David Ginsburg, vice president of marketing at Cavirin Systems Inc., told SiliconANGLE that the bug goes to show that companies can’t count on a single layer to protect critical systems.

“Even though they may be on a secured system, and you think you have the network perimeter secured, you still need to assume that the hackers are already inside the perimeter, and take precautions,” Ginsburg explained. “The CIS benchmarks call for strong password protection, but the reality is that too many don’t yet apply these.”

He went on to say that this protection may be automated by continual assessments, so the chief information security officer or other information technology managers will know if best practices are not in place or if someone made changes in error or by design.

Heather Howland, vice president of marketing at Preempt Security Inc., said the issue also highlights a need for IT security teams to be able to find weak passwords proactively.

“Employees often reuse passwords for both personal and business use,” she said. “Forcing regular password changes for everyone has become ineffective. Last year, NIST even reset their recommendations, admitting that complexity doesn’t really matter anymore.”

She also noted that “if a complex password was in a breach, it can be just as easily cracked. A password should be reset not based on some arbitrary time frame, but rather based on real-world evidence that it has been compromised. So finding better ways to identify the weak passwords in real time and enforcing contextual password updates when they are actually needed will be more effective.”

Mike Banic, vice president of marketing at Vectra Networks Inc., said the Twitter case should be a call to arms for companies to implement compulsory two-factor authentication.

“Twitter is one of many web-based and mobile applications that do not require dual-factor authentication as the default,” he said. “The breach of data from the Office of Personnel Management started with the cyberattackers using stolen credentials to pose as a legitimate employee of an OPM contractor performing background investigations, Keypoint Government Solutions, and the stolen credentials did not require two-factor authentication.”

The good news, he added, is that it’s easy to set up two-factor authentication for Twitter accounts.

Image: ateliertoepfer/Flickr