Twitter Breach Exposed Anonymous Account Owners
Twitter Logo (Representational Image/PTI)
New York: A vulnerability in Twitter’s software that exposed the identity compromise of an undetermined number of owners of anonymous accounts last year was apparently exploited by a malicious actor, the social media company said.
It did not confirm reports that 5.4 million users’ data was being offered for sale online as a result, but said on Friday that users worldwide were affected. The breach is particularly troubling because many Twitter account owners, including human rights activists, do not disclose their identities on their profiles for security reasons, including fear of harassment by repressive authorities.
“Too bad for the many people who use pseudonymous Twitter accounts,” tweeted Jeff Kosseff, a data security expert at the US Naval Academy.
The vulnerability allowed someone to determine during login whether a particular phone number or email address was linked to an existing Twitter account, thereby revealing the account owners, the company said.
Twitter said it did not know how many users may have been affected, and stressed that no passwords had been exposed. “We can confirm that the vulnerability is global,” a Twitter spokesperson said via email. “We cannot determine precisely how many accounts are affected or the location of account holders.”
Twitter made the acknowledgment in a blog post on Friday, following a report last month by digital privacy advocacy group RestorePrivacy detailing how data obtained from the vulnerability was being sold for $30,000 on a popular hacking forum.
Also Read: Tesla Investors Approve Stock Split; Add Elon Musk Factories
A security researcher discovered the flaw in JanuACHI, notified Twitter and was awarded a $5,000 reward. Twitter said the bug, introduced in the June 2021 software update, was immediately fixed.
Twitter said it learned about the data sale on a hacking forum from media reports and “confirmed that a bad actor took advantage of the issue before it was resolved.” It said it will notify all account owners directly to confirm they are affected.
“We are issuing this update because we cannot confirm every account that may have been affected, and we are mindful of those with pseudonymous accounts that may be targeted by state or other actors,” the company said.
Also Read: China Bans US Nancy Pelosi For Taiwan Visit
It recommended that users who want to hide their identities not add a publicly known phone number or email address to their Twitter account. “We understand the risks that an incident like this can introduce if you operate a Twitter account under a pseudonym, and are deeply sorry that this happened,” it said.
The revelation of the breach comes as Twitter is engaged in a legal battle with Tesla CEO Elon Musk to back out of his earlier offer to buy San Francisco-based Twitter for $44 billion.