Vulnerability in Twitter system allows hacker to steal personal information from 5 million accounts

Due to a vulnerability in his system, a hacker stole the account names and email addresses of over 5 million Twitter accounts ranging from celebrities, businesses, organizations and many more.

“We want to notify you of a vulnerability that allowed someone to enter a phone number or email address into the login flow in an attempt to determine if that information was linked to an existing Twitter account, and if yes, which specific account.” the social media app said in a blog post.

(Photo: OLIVIER DOULIERY/AFP via Getty Images)
In this photo illustration, a phone screen displays the Twitter logo on a Twitter page background, in Washington, DC on April 26, 2022. – Billionaire Elon Musk wins a social media prize with his deal to buy Twitter, which has become a global stage for businesses, activists, celebrities, politicians and more.

Twitter System Vulnerability

As first reported by The Independent, Twitter was already made aware earlier this year of an existing vulnerability in its system – in which if someone provided Twitter with their email address or phone number, Twitter would notify them. of all Twitter accounts that the submitted email address or phone number can be linked.

This flaw first appeared in June 2021, and Twitter patched it later. When the information of over 5.4 million accounts was allegedly sold on a hacker forum for $30,000 in July 2022, the company’s claim that it had no evidence a hacker was using this exploit has been disputed.

BleepingComputer spoke to the threat actor, who revealed that he used a vulnerability to harvest the data in December 2021. Interested buyers have already approached them and they are currently selling the data for $30,000.

Twitter received the report that a threat actor took advantage of the vulnerability in July, and after closely examining a sample of the available data stolen, they confirmed that the threat actor had indeed exploited the security flaw. before you can fix it.

Read also: North Korean hackers attack Gmail accounts, says cybersecurity firm

Unable to confirm

The microblogging platform also said it would directly notify accounts confirmed to have been affected by the breach. However, the company admitted that it was still unable to confirm the affected accounts and that it was cautious with “pseudonymous accounts” which could be targeted by malicious actors.

“If you are operating a pseudonymous Twitter account, we understand the risks that an incident like this can introduce and we deeply regret that this has happened. To keep your identity as veiled as possible, we recommend that you do not add a publicly known phone number or email address to your Twitter account,” the company said.

Twitter said there was nothing users could do to secure their data at this point. Still, they should set two-factor authentication on all accounts to prevent security breaches from happening again.

Related article: Elon Musk vs Twitter: a billionaire accuses Twitter of fraud on the number of fake accounts

This article belongs to Tech Times

Written by Joaquin Victor Tacla

ⓒ 2022 All rights reserved. Do not reproduce without permission.

Comments are closed.