4 Questions for Twitter Following Its ‘Unmasked Password’ Crisis

Twitter got out in front of its own crisis on May 3, emailing its business customers about a bug that stored account passwords, unmasked, in an internal log. The bug left Twitter passwords exposed, and visible, to everyone within the company.

"When someone sets a password for a Twitter account, we use technology that masks it so no one at the company can see it," Twitter said in the email. "We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug. Our investigation shows no indication of breach or misuse by anyone."

The email, and accompanying blog post, went on to explain that the bug was an isolated incident, wholly contained within Twitter's internal systems, and did not impact any of the campaign dashboards or metrics that communicators rely on to gauge the success of their Twitter campaigns. It also recommended that users change their passwords on Twitter and any services using the same password, along with enabling login verification, or two-factor authentication, to increase account security.

From a crisis communications perspective, there's a lot that Twitter did right in its messaging. The company took responsibility and didn't wait for the media to break news of its discovery. Twitter demonstrated transparency by going into more detail in its blog post about the bug. Twitter also offered actionable next steps.

Nonetheless, this loyal Twitter acolyte has some questions that the social platform's artfully communicated messaging failed to address. "I'd emphasize that this is not a breach and our investigation shows no signs of misuse," Twitter senior communications manager Liz Kelley told PR News after we sent her the questions below. "We're sharing this information so people can make an informed decision about the security of their account. We've reviewed our internal processes to ensure this doesn't happen again. Unfortunately, [we have] no additional details to share beyond our blog post."

What caused the bug in the first place? Twitter's messaging smartly acknowledged the bug, aligned with its users and assured us that the incident is contained. Still unanswered, though, is the question of just what caused the bug in the first place. If Twitter knows, and has simply chosen not to share the reason with its users, perhaps the answer is disquieting. If Twitter doesn't know, we reckon that finding the answer out will be instrumental to make sure another compromising bug doesn't affect the platform in the future. Either way, it's a notable omission from the platform's messaging.

What actions have been taken to ensure that this bug won’t happen again? Twitter assured users that it has fixed the bug and has implemented plans to prevent it from ever happening again. But what are those plans? When there's a breakdown in trust, it's on that party to not only repair the breakdown, but to share what preventative measures will be implemented. Twitter put the onus on users to change their passwords, and undercut some of the credit the company earned from getting in front of the crisis.

How long has this bug been creating an unprotected password log, and why is Twitter just discovering this now? Twitter ought to establish a timeline that explains when this bug was discovered and how long it has been in place, because the answers to those questions greatly change things. The longer this has been happening, the greater the likelihood of those passwords being compromised.

Moreover, it doesn't exactly inspire confidence that Twitter announced this bug on the same day it also announced updates to its Terms of Service and Privacy Policy. Like Facebook, Twitter has positioned these new changes, including "More focus on how Twitter shares your public data broadly and instantly, including through our developer tools," as steps voluntarily taken in the interest of addressing the current cultural conversations about social data privacy. In reality, these changes are protection for both platforms ahead of the imminent, much-needed data protection laws arriving when the GDPR goes into effect on May 25. It's no coincidence that these changes to Twitter's Terms of Service and Privacy Policy take effect the same day.

How is Twitter sure that this log has not been exposed to bad actors? Are Twitter employees vetted with ethical evaluations? How is the platform sure that the same entities that often pollute feeds with Russian bots and automated social media marketing copy have no access to this log? It's a simple question that nonetheless ought to be answered.

Follow Justin: @Joffaloff