Twitter Security Goof: “Password” isn’t a Good Password

TechCrunch is reporting that the admin panel for Twitter Search was compromised recently. How? The password for it was “Password.”

Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.”

Included in the Search admin are the Trending Topics settings, and the tool used to remove individual statuses from search results in some cases.

What were they thinking?

This raises the important question: How secure is Twitter, or any other web service? How do we know that they’re even hashing our passwords to protect them if the database was compromised?

  • Evan

    Wow. Simply shocking. I know that I'll never use the same password on Twitter that I use anywhere else. Even though they claim that this didn't involve any accounts, it might say something about the security-consciousness of their team.

    • redwall_hp

      I've been thinking about this a bit, and I've been wondering if this isn't any incompetency of Twitter. Twitter Search used to be a third-party service known as Summize. Maybe this is a relic of the system's heritage, and Twitter simply neglected to perform thorough security audits?

      At any rate, I believe Twitter Search is still hosted on separate servers, so your account is probably safe. I still would recommend using a different password for Twitter, simply because it's good practice. If you use the same password for everything, you may run into trouble down the road.