A system bug would have allowed a hacker to steal the personal data of more than 5 million users
Twitter Friday informed users of a security bug that had allowed a “bad actor” to obtain and resell the personal data of account holders. The tech giant didn’t provide the number of compromised accounts, but media outlets say more than 5 million users could have been affected.
A company statement said the vulnerability in the system, which resulted from a June 2021 code update, allowed entering an email address or phone number and knowing whether one or the other was tied to a specific account.
Twitter fixed the bug in early 2022. In July, however, the company saw a news article suggesting that “Someone had potentially taken advantage of this and was offering to sell the information they had compiled.”
“After reviewing a sample of the data available for sale, we confirmed that a bad actor took advantage of the issue before it was resolved,” Twitter revealed.
The company has pledged to contact owners of accounts that have been affected by the “unfortunateincident. However, Twitter admitted that it was unable to confirm each potentially compromised account. The company stressed that it is “particularly mindful of people with pseudonymous accounts who may be targeted by the state or other actors.”
Although the passwords weren’t exposed and users didn’t need to do anything to fix this specific issue, Twitter offered a set of recommendations to keep accounts safe. Pseudonymous account owners have been warned against adding publicly known phone numbers or email addresses, while all users are advised to enable two-factor authentication to protect their personal data.
At the end of July, the website RestorePrivacy revealed that a hacker who operated under the username “devil” had put up for sale on a well-known hacking forum a database containing the personal details of 5.4 million users of Twitter, including “Celebrities, companies, coincidences, OGs, etc.
When contacted by RestorePrivacy, this hacker revealed that he was asking for at least $30,000 for the database, which he pointed out managed to raise due to “Twitter’s Incompetence.” He said the exact mechanism of how he took advantage of the bug was explained in the HackerOne website’s January report by user “zhirinovskiy”, who first alerted Twitter to the vulnerability.
Twitter thanked ‘zhirinovskiy’ for “help keep Twitter secureand awarded him a $5,040 bounty for his investigation.
The incident is not the first time that the personal data of Twitter users has been compromised.
In July 2020, the FBI launched an investigation into a fraudulent bitcoin attack that left “many highly visible accounts,” including those of Elon Musk, Bill Gates, Barack Obama, and Kim Kardashian, affected by hackers. The company said at the time that it took “milestonesto limit the access of malicious actors to its internal systems.
You can share this story on social media: