A vulnerability in Twitter’s software that exposed owners of an unspecified number of anonymous accounts to possible identity compromise last year appears to have been exploited by malicious actors, the social media company announced Friday. .
As a result, we have not confirmed any reports of data about 5.4 million users being sold online, but said that users around the world were affected.
This violation is of particular concern as many Twitter account holders, including human rights activists, do not disclose their identities on their profiles for security reasons, including fear of persecution by repressive authorities.
“This is very bad for many people using fake Twitter accounts,” tweeted Jeff Kosseff, a data security expert at the U.S. Naval Academy.
The vulnerability allowed it to determine at login whether a given phone number or email address was associated with an existing Twitter account, thereby revealing the account’s owner, the company said.
Twitter said it did not know how many users may have been affected, and emphasized that passwords were not made public.
“We can confirm that the impact was global,” a Twitter spokesperson said in an email. “We are unable to determine the exact number of affected accounts or the location of the account holders.”
Twitter’s acknowledgment in a blog post on Friday follows a report last month by digital privacy advocacy group Restore Privacy about how data supposedly taken from the vulnerability was sold for $30,000 on a popular hacking forum. detailing.
A security researcher discovered the vulnerability in January, reported it to Twitter, and was reportedly rewarded with a $5,000 bounty. According to Twitter, the bug, which was introduced in the June 2021 software update, was quickly fixed.
Twitter said it learned of the sale of data on hacking forums from media reports and said it “confirmed that malicious actors were taking advantage of this issue before it was resolved.”
It said it is directly notifying all account holders who can confirm they have been affected.
“We are unable to verify all accounts that may have been affected, and we are paying particular attention to those with pseudonymous accounts who could be targeted by states and other actors, so we are taking this step. We are rolling out an update,” the company said.
We recommend that users who wish to keep their identity hidden do not add publicly known phone numbers or email addresses to their Twitter account.
“When operating a pseudonymous Twitter account, we understand the risk that incidents like this may occur, and we deeply regret that this happened.”
The infringement revelations came as Twitter fought a legal battle with Tesla CEO Elon Musk over his attempt to withdraw his earlier offer to acquire San Francisco-based Twitter for $44 billion. I am in the process of