Twitter Logged a Bunch of Users’ Passwords in Plain Text

Twitter CTO Parag Agrawal on the company blog:

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Interestingly enough, this was posted with the title “Keeping your account secure”, as opposed to a more accurate headline, like, “Oops, we stored your password in plain text”, or “We know the president’s password, for real”.

The euphemistic and misleading headline upsets me. What’s even more worrying is Agrawal’s reaction in a tweet:

We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.

You “didn’t have to” let Twitter users know that their account password was saved as plain text in the company’s infrastructure? Fuck you. Even if there isn’t a legal obligation to tell users, isn’t there a moral one?

Agrawal later apologized for saying that, but that’s a ridiculous initial reaction for the chief technical officer of a gigantic company.