Twitter has confirmed that it suffered a data breach which leaked the email addresses and phone numbers of users. The issue came to light after a hacker leaked a sample of the data.
How did the Twitter data breach happen?
In a statement published on its blog, Twitter explains how the issue occurred. It says that the developers had updated the site’s code in June 2021, as part of its regular operations. The code unfortunately contained a bug which allowed users to submit an email address or phone number via a login form, and in turn Twitter’s system would reveal which account the data was associated with.
The social networking company received a report about the bug in January 2022, and fixed the vulnerability to protect its users. The gap of 6 months from when the issue began and was fixed, is quite large and hackers could have potentially mined the data, but Twitter did not find any evidence to indicate that the bug had been exploited by bad actors.
So, if it happened 6 months ago, why is Twitter revealing it now? It says that a media report that was published recently, had revealed that hackers may have misused the vulnerability in order to gain access to the sensitive data. Twitter reviewed a part of the data that was available online, and confirmed that someone had indeed extracted the data. This seems to have happened before the vulnerability had been patched.
The social network says that it cannot confirm whether all users are affected by the issue, but that it will alert users whose accounts were impacted. Twitter also reassured users that no passwords were compromised in the data breach.
While the company may have declined to reveal the information regarding the number of impacted accounts, a report published by Bleeping Computer in July 2022, reveals that a hacker claimed they had access to user data from over 5.4 Million accounts. The hacker had put up the details for sale on the dark web for about $30,000. This is likely the media report that Twitter was referring to.
Since this is a server-side vulnerability, there is nothing that users can do. Twitter has advised users to enable 2-factor authentication to keep their accounts safe. It also asked users who have pseudonymous accounts, not to use a publicly known phone number or email address with their account, to keep their identity a secret.
Note: If you get an email from Twitter asking you to login to your account, pay attention to the sender’s name, the URL, etc. It could well be a phishing attempt.
It maybe a good idea to start using a secondary email address (or email-aliases) for social networks, this will not only protect your primary email ID, but can also help prevent junk mails from landing in your inbox.
Twitter has a serious bot problem too, which is one of the reasons why a recent acquisition attempt by tech mogul, Elon Musk, fell through.
Do you use your primary email address and phone number with your Twitter account?