Updated on 2022-09-25 Twitter discloses another security
Flip that “days since last security snafu” counter back to zero, Twitter’s back with another incident disclosure. The company said it wasn’t properly logging Android or iOS users out of their apps when changing their passwords. When you change your password, it’s meant to nuke all other active sessions so that it logs every other device out. It’s the whole point of changing your password, to stop access that might be in progress. But Twitter wasn’t doing that, so it logged a bunch of folks out as a precaution. As @sarahintampa wrote this week, it’s the latest disclosure in a long string of security issues at Twitter, not least the most recent $150 million settlement with the FTC after it used phone numbers and email addresses ostensibly for setting up two-factor authentication for targeted advertising.
Twitter discloses it wasn’t logging users out of accounts after password resets: https://t.co/oPsUC0be8G
— Sarah Perez (@sarahintampa) September 22, 2022
Probably enough to fill a loyalty rewards punch card at this point… If you needed an ELI5, @runasand has your back:
This also means it’s not enough to reset your password if your Twitter account is hacked, support needs to close all active sessions for you. https://t.co/0gqkxGLboj
— Runa Sandvik (@runasand) September 22, 2022
Read more: Twitter discloses it wasn’t logging users out of accounts after password resets
Overview
Twitter said on Wednesday that they fixed a bug where users weren’t logged out of all their devices when performing a voluntary password reset. The company said that in order to make sure this isn’t being abused, they logged off all users they suspect might have been affected out of their active sessions. Read more: Twitter Privacy Center > An incident impacting password resets on Twitter
