On Friday, Twitter admitted to a fault in its code that caused the breach of users’ private data. The code became vulnerable in June last year, with Twitter only becoming aware of the issue in January. The code was fixed, but the damage is done.
The vulnerability was first discovered by a security researcher, who reported the fault through Twitter’s bug bounty program. After fixing the error, Twitter didn’t feel a need to warn its 396 million users of the breach claiming there was “no evidence” it had been exploited. Twitter then learned that a ‘bad actor’ had potentially stolen private data and was offering to sell it. Twitter reviewed the data for sale, confirming the breach had impacted users.
The bug allowed attackers to submit an email address or phone number to the system, subsequently learning which accounts were tied to them, if any. It became possible to determine the identity of certain accounts and sell the information to the highest bidder.
“We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter said in a blog post.
Twitter couldn’t say how many accounts were affected, not knowing the actual number itself. Someone speaking to Bleeping Computer last month says they used the fault to obtain data from more than 5.4 million accounts. And that’s from one person. The real number could be much, much higher.
Despite no passwords being leaked, Twitter is urging users to turn on 2-factor authentication and avoid using publicly known email addresses or phone numbers for extra security. As most accounts already have personal email addresses or numbers linked to their accounts, this advice is almost useless. Perhaps Twitter could avoid allowing people to access this data for personal gain instead.