Twitter admits breach that exposed account owners worldwide

- Advertisement -

The social media company said Friday that a vulnerability in Twitter’s software that exposed an unspecified number of owners of anonymous accounts to potential identity compromise last year was apparently exploited by a malicious actor.

- Advertisement -

It did not confirm a report that data from 5.4 million users had been offered for sale online, but said users around the world were affected.

The breach is particularly worrying because many Twitter account owners, including human rights activists, do not disclose their identities for security reasons, including fear of harassment by repressive authorities.


“Too bad for the many people using pseudonymous Twitter accounts,” tweeted Jeff Kosef, a data security expert at the US Naval Academy.

The vulnerability allowed someone to determine during log-in whether a particular phone number or email address was linked to an existing Twitter account, revealing account owners, the company said.

Story continues below ad
- Advertisement -

Twitter said it does not know how many users may have been affected, and insisted that no passwords were exposed.

“We can confirm that the impact was Granthshala,” a Twitter spokesperson said via email. “We cannot determine how many accounts were affected or the location of the account holders.”

Twitter’s approval in a blog post on Friday followed a report last month by digital privacy advocacy group Restore Privacy detailing how data potentially derived from the vulnerability was being sold on a popular hacking forum for $30,000.

A security researcher discovered the flaw in January, informed Twitter, and was awarded a $5,000 reward. Twitter said the bug introduced in the June 2021 software update was fixed immediately.

Twitter said it learned of the data sale on the hacking forum from media reports and “confirmed that a bad actor took advantage of it before addressing the issue.”

It said it is notifying all account owners directly that it can confirm it was affected.

The company said, “We are publishing this update because we are not able to verify every account potentially affected, and specifically take into account pseudonymous ones that have been misappropriated by the state or other actors.” can be targeted.”

It has advised users to keep their identity anonymous and not to add publicly known phone numbers or email addresses to their Twitter accounts.

Story continues below ad

“If you operate a pseudonymous Twitter account, we understand the risks that such an incident could introduce and are deeply sorry that this happened,” it said.

The revelation of the breach comes as Twitter is in a legal battle with Tesla CEO Elon Musk in an effort to backtrack from his previous offer to buy San Francisco-based Twitter for $44 billion.


- Advertisement -

Mail Us For DMCA/Credit Notice

Recent Articles

Stay on top - Get the daily news in your inbox

Related Stories