Last week was a particularly bad one for two of world’s largest social media platforms. Due to a bug in their software, Twitter announced that every user should update their passwords as soon as possible. And on Sunday, The Guardian suggested that Mark Zuckerberg may not have been 100 percent truthful during his congressional testimony.
Here’s what we know about these developing stories.
Twitter celebrates World Password Day in unusual fashion
Thursday, May 3, was World Password Day, and chances are many of us wouldn’t have known that if it weren’t for Twitter. The social media platform really spoke to the urgency of the holiday when they announced that each of their 336 million users should update their passwords.
Twitter uses a security technique known as hashing to secure users passwords. Hashing involves converting users’ passwords into a random assortment of numbers that Twitter can validate as a correct password without having to read characters in the actual password.
Unfortunately, there was a bug in their software, and users’ passwords were stored in an unspecified “internal log” before they were converted into random numbers. If an employee or third party gained access to this file, they could easily view every user’s unencrypted password.
Parag Agrawal, Twitter’s chief technology officer, first announced the security incident on a corporate blog post urging users to change their passwords immediately, especially if they used that password for other sites. Speaking to the seriousness of the incident, Twitter also disclosed the password flaw as part of a regulatory filing the same day.
CEO Jack Dorsey also issued a statement on Twitter. According to Dorsey, there are no signs that a breach or misuse of the data occurred, Twitter simply felt it was important to be open and honest about the “internal defect.” He went on to add that Twitter discovered the bug without the assistance of outside security researchers. This makes a marked difference from many recent breach disclosures.
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00— jack (@jack) May 3, 2018
Better password management on Twitter
If you’re one of the millions of users on Twitter, it’s time to update your password. To do this on Twitter’s website, go to Settings and Privacy -> Change Password. If you’re on the app, you’ll need to navigate to Settings and Privacy -> Account -> Change Password. For tips on creating a secure password, visit our blog 5 Ways to Generate Passwords That Are Tough to Crack.
It’s also a good idea to turn on two-factor authentication, although Twitter refers to this as “login verification.” After you navigate to Account -> Security within Twitter, select the option Verify Login Requests. Now logins will require you to enter a second piece of information, like a code they will text to your phone.
Zuckerberg’s testimony under question
Mark Zuckerberg may have survived his time in the hot (and well-cushioned) seat, but new research suggests the tech mogul may not have been entirely truthful during his recent congressional testimony. This is especially true when it comes to his knowledge of how Cambridge Analytica handled derivative data.
During testimony, Zuckerberg told House Representative Jan Schakowsky that Cambridge Analytica told Facebook they deleted all derivative data immediately after Facebook confronted the company.
“In 2015, when we first learned about it, we immediately demanded that the app developer and the firms that he sold it to delete the data. And they all represented to us that they had.”
According to The Guardian, this is not the case. Citing obtained emails, the international news organization claims there was an ongoing discussion between Facebook and Cambridge Analytica that lasted for months. In fact, several inside sources tell the publication that Cambridge Analytica held on to the derivative data until 2017.
What does all this mean for you?
If there’s anything we can learn from these revelations, it’s that we cannot depend on tech companies or even the government to protect our privacy. Instead, it’s up to each of us to protect ourselves and our loved ones.
If you’d like to learn more about how we can accomplish this, you can download our complimentary checklist, Protecting Your Privacy: Best Practices for Mobile, Social, and Search Settings. It’s loaded with great information you can use to safeguard your privacy and that of your loved ones.