Twitter has confirmed that it suffered a data breach which leaked the email addresses and phone numbers of users. The issue came to light after a hacker leaked a sample of the data.
In a statement published on its blog, Twitter explains how the issue occurred. It says that the developers had updated the site’s code in June 2021, as part of its regular operations. The code unfortunately contained a bug which allowed users to submit an email address or phone number via a login form, and in turn Twitter’s system would reveal which account the data was associated with.
The social networking company received a report about the bug in January 2022, and fixed the vulnerability to protect its users. The gap of 6 months from when the issue began and was fixed, is quite large and hackers could have potentially mined the data, but Twitter did not find any evidence to indicate that the bug had been exploited by bad actors.
So, if it happened 6 months ago, why is Twitter revealing it now? It says that a media report that was published recently, had revealed that hackers may have misused the vulnerability in order to gain access to the sensitive data. Twitter reviewed a part of the data that was available online, and confirmed that someone had indeed extracted the data. This seems to have happened before the vulnerability had been patched.
The social network says that it cannot confirm whether all users are affected by the issue, but that it will alert users whose accounts were impacted. Twitter also reassured users that no passwords were compromised in the data breach.
While the company may have declined to reveal the information regarding the number of impacted accounts, a report published by Bleeping Computer in July 2022, reveals that a hacker claimed they had access to user data from over 5.4 Million accounts. The hacker had put up the details for sale on the dark web for about $30,000. This is likely the media report that Twitter was referring to.
Since this is a server-side vulnerability, there is nothing that users can do. Twitter has advised users to enable 2-factor authentication to keep their accounts safe. It also asked users who have pseudonymous accounts, not to use a publicly known phone number or email address with their account, to keep their identity a secret.
Note: If you get an email from Twitter asking you to login to your account, pay attention to the sender’s name, the URL, etc. It could well be a phishing attempt.
It maybe a good idea to start using a secondary email address (or email-aliases) for social networks, this will not only protect your primary email ID, but can also help prevent junk mails from landing in your inbox.
Twitter has a serious bot problem too, which is one of the reasons why a recent acquisition attempt by tech mogul, Elon Musk, fell through.
Do you use your primary email address and phone number with your Twitter account?
>Do you use your primary email address and phone number with your Twitter account?
No sir, and the only reason they allowed me to dodge the phone number was that I used a FIDO2 compatible hardware 2FA key to secure my account with a second factor. In my book that should be a default option. If they really have my security in mind allow me to chose alternatives like TOTP generators and 2FA keychains over leaking my most sensitive data.
Most companies don’t care about your security, they say the text messages are for protection, but they are to syphon your data. Google allowed me to dodge phone numbers way harder. MS banned me because I didn’t provide a phone number. Support tried to coerce me into giving the phone number first. It took me weeks to have my deactivated account deleted threatening them with a GDPR complaint.
Also I am sure they want phone numbers because EU law makes it impossible to buy burner phones. The SIM cards do not activate unless you buy them and present a citizen ID here. A phone number is thus requested by the government to hunt outliers down who post hate messages online.
ThinkPol and Bigbrother are a reality. A VPN and TOR are useless once they have your phone number. I rate this article Doubleplus Good.
Adding more personal information to a vunerable account is so stupid a blind man can see it.
TFA is in theory a good idea but in practice it’s used as just another way to build your advertising profile so that it’s more profitable which in fact makes your data less secure.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.