Twitter: a hostile actor appears to have taken advantage of a technological flaw that led to 5.4 million accounts data leak
According to Twitter, a malicious actor appears to have exploited a technical weakness that put the identities of an undetermined number of owners of anonymous accounts in danger last year. On Friday, it stated that users globally had been disrupted, but it did not support a report that indicated as a result, data on 5.4 million people were made available for purchase online.
The theft is especially troubling because many Twitter users, particularly human rights activists, hide their names in their profiles out of security reasons and/or fear of retaliation from authoritarian authorities. Jeff Kosseff, a data security specialist at the US Naval Academy, tweeted: “This is incredibly bad for anyone who uses anonymous Twitter accounts.”
The bug, according to the company, allowed anyone to determine whether a particular phone number or email address was linked to an active Twitter account during the login process, revealing account owners. No credentials were made public, according to Twitter, and it was not immediately clear how many people might have been affected.
We can confirm that there was a worldwide impact, In an email, a representative of Twitter wrote. “We are unable to determine the exact number of affected accounts or the location of the account holders.”
Twitter addressed the problem in a blog post on Friday in response to a report published last month by the digital privacy advocacy group Restore Privacy that detailed how data allegedly obtained from the vulnerability was being sold on a well-known hacking market for USD 30,000.
A security researcher who discovered the flaw in January also contacted Twitter and allegedly received a $5,000 payment. According to Twitter, the bug, which had been introduced in a June 2021 software update, was swiftly fixed.
As reported in the media, Twitter claimed to have learned about the data sale on the hacker forum and to have “verified that a bad actor had exploited the problem before it was rectified. All account owners whose accounts it can verify were impacted, it claimed, would be immediately notified. The company stated, “We are posting this information because we are unable to confirm every account that was potentially compromised, and we are especially cautious of users using pseudonymous accounts who may be targeted by state or other actors.”
It suggested users not include their email or phone number in their Twitter profile if they wished to keep their identities a secret. The disclosure of the breach coincides with Twitter’s lawsuit against Tesla CEO Elon Musk for attempting to retract his earlier $44 billion deal to buy the San Francisco-based business.