Twitter Password Reset Bug May Have Exposed User Accounts

Twitter has remediated an issue that allowed accounts to stay logged in across multiple devices even after a voluntary password reset.

In an update yesterday, the social media company explained that the bug meant users who proactively changed their passwords on one device may have still been able to access open sessions on other screens.

This is important, as users who choose password resets voluntarily may be doing so because they’re concerned their account has been compromised.

The bug meant that a threat actor who was able to access an account in some way would have continued to be able to do so even after such a reset.

It’s unclear exactly how long users have been exposed in this way, but Twitter explained that the issue appeared after it made a change “last year” to the systems that power its password reset functionality.

“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again,” the firm explained.

“We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”

There remains a question over whether Twitter has notified all those affected. Users may want to proactively log out of their account and/or reset passwords across their devices in any case.

The social media giant encouraged all users to familiarize themselves with the security controls available in their settings and to review active open sessions regularly.

“You can also review how to reset a lost or forgotten password on our Help Center,” it added.

Twitter has been in the security news this year for all the wrong reasons.

In May it agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations, while a few months later a former CSO blew the whistle on an alleged litany of security vulnerabilities and mismanagement at the firm.