Twitter on Thursday encouraged its more than 330 million users to change their passwords after the company discovered a bug that revealed the passwords in an unencrypted form in an internal log.

Twitter said in a blog post that "we have no reason to believe password information ever left Twitter's systems or was misused by anyone." But the company urged users to take action "out of an abundance of caution."

In tweets Thursday afternoon, Twitter's chief technology officer, Parag Agrawal, apologised for the error and said: "We are sharing this information to help people make an informed decision about their account security. We didn't have to, but believe it's the right thing to do."

Twitter said that it had discovered the error itself and removed the passwords. The company did not say when it discovered the bug.


In 2011, Twitter finalised a settlement with the Federal Trade Commission over allegations that the company's "serious lapses" in data security "allowed hackers to obtain unauthorised administrative control of Twitter," according to an FTC release. As part of the settlement, Twitter must maintain a "comprehensive information security program" that will be independently assessed every other year for 10 years.

Such data security assessments have come under scrutiny in recent weeks, following Facebook's entanglement with a political consultancy that improperly accessed the data of 87 million users. Facebook's assessments did not appear to detect the incident.