Twitter Just Admitted Exposing 5.4 Million Accounts to Hackers
"Bad actors" stole database of email addresses and phone numbers.
Twitter said that a security flaw had exposed private information connected to 5.4 million user accounts, and the breach might pose a serious threat to a particular type of user. "This is very bad for many who use pseudonymous Twitter accounts," U.S. Naval Academy data security expert Jeff Kosseff tweeted. Read on to find out what the security vulnerability is, how long it lasted, and how you can keep your Twitter account safe.
Because of the vulnerability, anyone could enter a phone number or email address of a Twitter user and see if it was connected to an existing Twitter account. That would potentially reveal the identity of anyone who intended to operate an account under a pseudonym.
"If someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in a statement on Friday.
Twitter said the bug had been introduced into its code in June 2021 and that it fixed the issue in January, after it was notified of the hack through its "bug bounty" program. At that time, the company "had no evidence to suggest someone had taken advantage of the vulnerability."
But hackers had already created a database of email addresses and phone numbers behind the 5.4 million Twitter accounts and were intending to sell them. Twitter said it learned about this from a press report in July.
"After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed," the company said. "We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors."
"If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened," Twitter said. "To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account."
The company added: "While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins."
TechCrunch noted that this is just the latest in a series of security issues Twitter has faced in recent years. In May, the company agreed to pay $150 million in a settlement with the Federal Trade Commission after misusing user phone numbers and email addresses. The company used them for targeted advertising, which users had not authorized; they had only submitted them for two-factor security authentication.