Twitter on Friday informed users of a security bug that had allowed “a bad actor” to obtain and sell the personal data of account holders. The tech giant didn’t provide the number of compromised accounts, but media reports state that more than 5 million users could have been affected.
A company statement said that the system vulnerability, which resulted from a June 2021 code update, made it possible to enter an email address or phone number and learn if either was linked to a specific account.
Twitter fixed the bug in early 2022. In July, however, the company saw a press report suggesting that “someone had potentially leveraged this and was offering to sell the information they had compiled.”
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter revealed.
The company vowed to contact the owners of the accounts that were affected by the “unfortunate” incident. However, Twitter admitted that it had been impossible to confirm every account that was potentially compromised. The company stressed that it is “particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
Although passwords were not exposed and users do not need to do anything to address this specific issue, Twitter came up with a set of recommendations to protect accounts. The owners of pseudonymous accounts have been warned against adding publicly known phone numbers or email addresses, while all users are advised to enable two-factor authentication to protect their personal data.
In late July, the website RestorePrivacy revealed that a hacker who was operating under the username ‘devil’ had put on sale on a well-known hacking forum a database featuring the personal details of 5.4 million Twitter users, including “Celebrities, to Companies, randoms, OGs, etc.”
When reached by RestorePrivacy, this hacker revealed that he was asking for at least $30,000 for the database, which, he stressed, he managed to compile due to “Twitter’s incompetence.” He said that the exact mechanism of how he took advantage of the bug was explained in the January report of the HackerOne website by user ‘zhirinovskiy’, who was the first to warn Twitter of the vulnerability.
Twitter thanked ‘zhirinovskiy’ for “helping keep Twitter secure” and awarded him a $5,040 bounty for his investigation.
The incident is not the first time the personal data of Twitter users has been compromised.
In July 2020, the FBI launched an investigation into a Bitcoin scam attack that left “many highly-visible” accounts, including those of Elon Musk, Bill Gates, Barack Obama and Kim Kardashian, affected by hackers. The company said at the time that it had taken “significant steps” to limit the malign actors’ access to its internal systems.