But honestly not that bad, according to Tristan Bolton, founder of enterprise cloud provider BoltonSmith.

We talked to him about how it might have happened, and how it could have been worse.

How it normally works

First, heres what wassupposedto happen to your password.

As Twitter CTO Parag Agrawal explained whenannouncing the mistake, the service normally never stores your actual password.

Twitter stores that encrypted hash instead of your actual password.

If they match, it lets you in.

If they dont match, it doesnt.

(Itd be kind of like turning a smoothie back into strawberries and milk.)

This means that if someone ever hacked into Twitters database of hashes, they still wouldnt have everyones passwords.

Because people are hacking into databases all the time, its crucial that services dont save users actual passwords.

So, says Bolton, its become such standard practice that every computer science student learns it.

Even small informal services usually turn passwords into hashes.

This wasnt always the case; it became much more common aftermultiple high-profile breachesthat exposed millions of accounts.

What can go wrong

But Twitter says that at one point, it failed to do this.

But occasionally a developer forgets to turn off debug logging before taking a system live.

This means that the system keeps logging data it doesnt needor data its not supposed to log.

And that can include unencrypted passwords.

This, Bolton says, could be what happened at Twitter.

(We asked Twitter to confirm; they declined to comment.)

Andthe SEC recently fined Yahoo $35 millionfor hiding data breaches that exposed billions of accounts.

Sometimes, Bolton says, its actually appropriate to keep quiet about a data breach or mistake.

Otherwise hackers will have a free week to exploit the vulnerability.

(The ethics of these choices arehighly debated in the security world.)

Theres little risk that the passwords made it anywhere outside of Twitters now-deleted internal log, says Bolton.

(Otherwise Twitter would need toforceeveryone to change their password, not just suggest it.)

But theres always a slight risk.

Youreprobablyfine if you leave your front door unlocked today, but why take the chance?

So change your password, and if you used it anywhere else, change that too.

(And never reuse passwords again.)

Make your password long, and store it in a password manager.

And turn on two-factor authentication so hackers need more than your password to log into your account.