Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Twitter Breach Exposed Anonymous Account Owners

A vulnerability in Twitter’s software that exposed an undetermined number of owners of anonymous accounts to potential identity compromise last year was apparently exploited by a malicious actor, the social media company said Friday.

A vulnerability in Twitter’s software that exposed an undetermined number of owners of anonymous accounts to potential identity compromise last year was apparently exploited by a malicious actor, the social media company said Friday.

It did not confirm a report that data on 5.4 million users was offered for sale online as a result but said users worldwide were affected.

The breach is especially worrisome because many Twitter account owners, including human rights activists, do not disclose their identities in their profiles for security reasons that include fear of persecution by repressive authorities.

“This is very bad for many who use pseudonymous Twitter accounts,” U.S. Naval Academy data security expert Jeff Kosseff tweeted.

The vulnerability allowed someone to determine during log-in whether a particular phone number or email address was tied to an existing Twitter account, thereby revealing account owners, the company said.

Twitter said it did not know how many users may have been affected, and stressed that no passwords were exposed.

“We can confirm the impact was global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”

Twitter’s acknowledgment in a blog post Friday followed a report last month by the digital privacy advocacy group Restore Privacy detailing how data presumably obtained from the vulnerability was being sold on a popular hacking forum for $30,000.

A security researcher discovered the flaw in January, informed Twitter and was paid a reported $5,000 bounty. Twitter said the bug, introduced in a June 2021 software update, was immediately fixed.

Twitter said it learned about the data sale on the hacking forum from media reports and “confirmed that a bad actor had taken advantage of the issue before it was addressed.”

It said it was directly notifying all account owners that it can confirm were affected.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company said.

It recommended users seeking to keep their identities veiled not add a publicly known phone number or email address to their Twitter account.

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” it said.

The revelation of the breach comes while Twitter is in a legal battle with Tesla CEO Elon Musk over his attempt to back out from his previous offer to buy San Francisco-based Twitter for $44 billion.

RelatedCan Elon Musk Spur Cybersecurity Innovation at Twitter?

Related: Hackers Used Internal Twitter Tools to Hijack Big-Name Accounts

Related: Why Are Users Ignoring Multi-Factor Authentication? 

Related: UK Man Arrested in Spain, Charged in US With Twitter Hack

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.