- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Twitter Password Reset Bug May Have Exposed User Accounts
Twitter has remediated an issue that allowed accounts to stay logged in across multiple devices even after a voluntary password reset.
In an update yesterday, the social media company explained that the bug meant users who proactively changed their passwords on one device may have still been able to access open sessions on other screens.
This is important, as users who choose password resets voluntarily may be doing so because they’re concerned their account has been compromised.
The bug meant that a threat actor who was able to access an account in some way would have continued to be able to do so even after such a reset.
It’s unclear exactly how long users have been exposed in this way, but Twitter explained that the issue appeared after it made a change “last year” to the systems that power its password reset functionality.
“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again,” the firm explained.
“We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”
There remains a question over whether Twitter has notified all those affected. Users may want to proactively log out of their account and/or reset passwords across their devices in any case.
The social media giant encouraged all users to familiarize themselves with the security controls available in their settings and to review active open sessions regularly.
“You can also review how to reset a lost or forgotten password on our Help Center,” it added.
Twitter has been in the security news this year for all the wrong reasons.
In May it agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations, while a few months later a former CSO blew the whistle on an alleged litany of security vulnerabilities and mismanagement at the firm.