Kim Dotcom threatens Twitter class action over user password exposure
Twitter urged their 330 million users to change their passwords on Thursday after discovering a “bug,” which stored their users’ unmasked passwords in an internal log for months. They didn’t specify exactly how many accounts had been affected, however, Reuters reported that the figure was “substantial.”
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ— Twitter Support (@TwitterSupport) May 3, 2018
Unconvinced by their ‘honest mistake’ apology, internet entrepreneur Dotcom questioned why Twitter decided to admit to the breach now. He suggested that a threat from a former employee, a pending lawsuit, or an imminent NSA leak could be possible reasons for their forthrightness.
“What we can all agree on is that this wasn’t an ‘error’ or an honest mistake,” wrote Kim.
Apparently @twitter stored your password in clear text in an ‘Internal log’ undermining any encryption.— Kim Dotcom (@KimDotcom) May 4, 2018
Twitter claims this was an error.
Based on my data security experience I suggest this wasn’t an error but a deliberate effort to provide your passwords to US Govt agencies. pic.twitter.com/wGZsaxqlYp
We can only speculate why @twitter proactively admitted that they stored user passwords in clear text. A threat from a former employee? A pending lawsuit? Another imminent NSA leak? We don’t know, yet. What we can all agree on is that this wasn’t an ‘error’ or an honest mistake.— Kim Dotcom (@KimDotcom) May 4, 2018
On Twitter, Kim asked his more than 700,000 followers to vote in a poll about whether they would be interested in joining a class-action lawsuit against the social media network for misleading their users “by telling them that their passwords were encrypted while deliberately storing them in plain text and probably providing them unlawfully to US govt agencies?”
Following a resounding ‘Yes’ from more than 6,000 participants – and his estimation that “over a million Twitter users” will feel the same – Kim later appealed for a “reputable US law firm” to step forward to head the class-action lawsuit.
Many users felt similarly skeptical about the “bug” excuse, which prompted Twitter’s Chief Technology Officer Parag Agrawal to defensively claim that the company “didn’t have to” alert users to their mistake. Agrawal later took back the statement.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd— Parag Agrawal (@paraga) May 3, 2018
Why are you calling it a "bug"?. You dumped unencrypted password to a file. You need a code sentence for that. That's not a bug, That's something deliberate. You must clarify what happened, period.— Rodrigo R. Paz (@rodrigorpaz) May 3, 2018
Twitter Bug? Password Error?— snoɯʎuou∀ (@ERLNCINAR) May 4, 2018
I don’t think that it was a bug / error in the twitter engine, I think it was made deliberately so passwords would be Effort to provide for shady/agency like Governemts!? Hmm? That might have an interest in it#CyberSecurity#Infosec@TwitterSupportpic.twitter.com/QXj1n2hx1Q