Twitter CTO: “We didn’t have to” tell users about the password debacle

Have you changed your Twitter password yet? If not, go ahead and do it now. I’ll wait. Okay, welcome back. The reason you just did that is because Twitter has owned up to a pretty serious bug that allowed passwords to be stored, unencrypted, on an internal log. The company says it doesn’t believe this data was compromised or accessed by bad actors, but honestly, who knows.

You can imagine that Twitter’s CTO, Parag Agrawal, is very sorry for this blunder, but instead of simply saying “we messed up,” he took to Twitter to imply that users should be thanking Twitter for informing them of the bug.

In a tweet, Agrawal wrote that he is sharing news of this bug “to help people make an informed decision about their account security.” If you talk to anyone who has a semblance of OpSec finesse, the “informed” decision would be to change every password immediately. That’s not all Agrawal had to say. In the same tweet he goes on to say, “We didn’t have to, but believe it’s the right thing to do.”

In essence, Twitter’s top engineer is saying that, yes, it’s true the company had passwords just sitting around in an unencrypted environment, but at least it admitted it. Now that we know this, Agrawal seems to be implying that knowledge is power, so change your password or don’t. (But really, change your password.) Agrawal neglects to mention that we Twitter users didn’t choose to have our passwords potentially compromised. What’s more, even if his team found no evidence of foul play, that doesn’t mean bad things didn’t happen.

It seems Agrawal realized his initial tweet was a mistake. He followed up about 45 minutes later, saying, “I should not have said we didn’t have to share. I have felt strongly that we should. My mistake.”

And it’s true: The company did, in fact, have to tell us about this debacle, because that’s what responsible, leading technology businesses are supposed to do when they mess up and compromise millions of people’s security.