The company’s CEO, Jack Dorsey, called the glitch an “internal defect.”
Twitter users on Thursday received an alert from the company explaining the issue and directing them to their account settings so they could change their passwords.
In a linked blog post, the company apologized for the problem.
“We are very sorry this happened,” said Twitter’s chief technology officer, Parag Agrawal. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
The company fixed the bug, deleted the stored passwords and launched an investigation that showed no signs of a breach or data misuse, according to Agrawal.
Still, “out of an abundance of caution,” the company said, it recommended that users change their passwords not only for Twitter but also for any other accounts with the same password.
The bug affected a process called hashing, which Twitter uses to mask users’ passwords by cryptographically converting them to different number and letter combinations before storing them.
Twitter uses the masked passwords to validate users’ account credentials.
“This is an industry standard,” Argawal said.
However, the bug discovered by the company caused the passwords to be stored in an internal log before they were masked.
Argawal said that Twitter has “no reason to believe password information ever left Twitter’s systems or was misused by anyone” but recommended that users take extra steps to secure their accounts, including two-factor authentication and using different passwords for separate accounts.
He received some backlash from Twitter users after he tweeted that the company “didn’t have to” tell users that their passwords had been stored in plain text in its system.
Agrawal later admitted he made a mistake by saying that Twitter didn’t have to inform users of the issue. Dorsey praised Argawal’s response, adding, “I love my teammates.”