A vulnerability in Twitter’s software that exposed an unknown number of anonymous account owners to potential identity compromise last year was apparently exploited by a malicious actor, the social media company said on Friday.
He did not confirm a report that data on 5.4 million users was offered for sale online as a result, but said users around the world were affected.
The breach is particularly worrying because many Twitter account owners, including human rights activists, do not disclose their identities in their profiles for security reasons that include fear of persecution by law enforcement authorities.
“This is very bad for many who use pseudonymous Twitter accounts,” tweeted US Naval Academy data security expert Jeff Kosseff.
The vulnerability allowed someone to determine during login whether a particular phone number or email address was linked to an existing Twitter account, revealing the owners of the account, the company said.
Twitter said it did not know how many users may have been affected and stressed that no passwords were exposed.
“We can confirm the impact has been global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were affected or the location of account holders.”
Twitter’s acknowledgment in a blog post on Friday followed a report last month from digital privacy advocacy group Restore Privacy detailing how data presumably obtained from the vulnerability was being sold on a popular hacking forum for 30,000 $ (about Rs. 28.9 lakh).
A security researcher discovered the flaw in January, informed Twitter and received a bounty of $5,000 (about Rs. 4 lakh). Twitter said the bug, introduced in a June 2021 software update, was immediately fixed.
Twitter said it learned of the data sale on the hacking forum from the media and “confirmed that a bad actor took advantage of the issue before it was resolved.”
He said he was directly notifying all account owners that he could confirm they were affected.
“We are issuing this update because we are unable to confirm all potentially impacted accounts and are particularly mindful of individuals with pseudonymous accounts who may be targeted by the state or other actors,” the company said. .
He recommended users seeking to keep their identities concealed not to add a publicly known phone number or email address to their Twitter account.
“If you are operating a pseudonymous Twitter account, we understand the risks that an incident like this can introduce and deeply regret that this happened,” he said.
The revelation of the breach comes as Twitter is in a legal battle with Tesla CEO Elon Musk over his attempt to walk back his previous offer to buy San Francisco-based Twitter for $44 billion (approximately Rs. 3,500 crore).