Twitter is advising all of its 330 million users to change their passwords after a bug briefly exposed every single login in plain text format. Twitter says it's now fixed the error, and there's no evidence of a breach or any malicious action, but it's best to play it safe.
It's easy to reset your Twitter password (opens in new tab), and there are additional security measures you can take to ensure that even if someone gets hold of your details, they'll be unable to log in. These methods are good practice for all online accounts, so this is a good time to make sure your other profiles are locked up too. It's also a good idea to install a free password manager while you're at it.
1. Change your Twitter password
Go to https://twitter.com/settings/password (opens in new tab), enter your existing password, then type a new one. Enter the new password again to confirm it.
Having a strong password won't help if your login is accidentally exposed in plain text format, but it will protect your account from hackers. Dictionary words are easily cracked, so it's a good idea to use a password generator to create logins that use a combination of numbers, letters and other characters.
These passwords are then stored in an encrypted 'vault' and entered for you automatically so you don't have to remember them yourself.
2. Set up two-factor authentication
Two-factor authentication means you need more than one piece of information to log into your account. Even if your password is exposed, nobody will be able to get in without the other the other piece – in this case, a six-digit number sent to your phone via SMS.
To set it up, visit https://twitter.com/settings/add_phone (opens in new tab), make sure the correct region is selected and enter your phone number (leaving off the leading '0'). Click 'Continue' and Twitter will send a six-digit code to your phone. Enter this on the website, then click 'Activate phone'.
Now click 'Account' and select 'Set up login verification'. Click 'Start', enter your account password and click 'Send code'. Enter the new six-digit number that's sent to your phone and select 'Submit'.
That's it. From now on, whenever you try to log into your Twitter account, you'll need to confirm your identity by entering a code sent to your phone.
Select 'Get backup code' to generate a random series of letters and numbers. Store this in your password manager – you'll need it if you ever lose or break your phone. It can only be used once, so look after it.
3. Secure password reset
If someone gains access to your Twitter account, one of the first things they'll try to do is reset your password, locking you out. To prevent this, go to https://twitter.com/settings/account (opens in new tab) and check 'Require personal information to reset your password'. You'll now be unable to change your password without verifying your email address or phone number.
This isn't the most secure option in the world – if someone clicks 'Mobile' or 'Account' they'll be able to see what your email and phone number are – but it might give you enough time to report the account as compromised.
4. Change other account passwords
You're only human, so unless you're already using a password manager, there's a good chance you use the same password to log into several different online accounts – or minor variations on a theme. It's convenient, but it means that if one of your accounts is compromised, an attacker can then use the same credentials to break into your other accounts.
If you share your Twitter password with any other accounts – including social media, email and online shopping – change them too, and make sure each login is unique. Using a password manager means you won't need to remember all these new passwords yourself.