Security Blog

Change your Twitter account password immediately

Release Date: 04 / 05 / 2018
Last Update: 04 / 05 / 2018

On 3 May 2018, social media Twitter made a statement to their users, their system was found to store the users' passwords in an un-encrypted format (plain text) because of system bug. HKCERT advises all affected users to change their passwords immediately in order to protect their data. If you suspected there is any criminal offenses (e.g. theft of personal information, scamming) related to this incident, report to the Police as soon as possible.


If a user is using the same ID (email address) and password on other online services, it is time to change them and use different new passwords for each service.


Here are some tips for choosing a good password:

  • Use at least eight characters long password.
  • Use combination of different character types in a password, e.g. upper and lower case letters, numeric and symbol characters.
  • Use passwords that are hard to guess but easy to remember.
  • Change your password regularly.
  • Do not use the same password for different online services.

Two-Factor Authentication is an good option to protect your account's security. It requires user to input 2 sets of information of different nature for user authentication, which is a combination of something you know and something you have (e.g. Security token, mobile phone). This is usually in 2 forms:

  1. A one time password sent by SMS to your phone.
  2. A one time token generated by a mobile app or physical token device.

Attackers may take advantage of this incident and send out phishing email or perform social engineering attack. Never change your passwords by clicking the URL in an email that you did not request. You should also be cautious when you receive posts or messages with suspicious URLs, even if the sender claims to be your friends. Check the URLs before you click on it.


To learn more about the methods of account management, enhance security or Two-Factor Authentication, please refer to HKCERT Security Guideline.

HKCERT also advises all webmasters to conduct security assessment regularly, identify and rectify security vulnerabilities early and prevent hackers from attacking.


To learn more about how to secure your web servers, web applications and database servers, please refer to HKCERT Security Guideline:

For origanal Twitter annocement, please refer to