Due to a vulnerability in its system, a hacker stole the account names and email addresses of more than 5 million Twitter accounts that ranged from celebrities, companies, organizations, and many more.
"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.," the social media app said in a blog post.
In this photo illustration, a phone screen displays the Twitter logo on a Twitter page background, in Washington, DC, on April 26, 2022. - Billionaire Elon Musk is capturing a social media prize with his deal to buy Twitter, which has become a global stage for companies, activists, celebrities, politicians and more.
Twitter's System Vulnerability
As reported first by The Independent, Twitter was already notified earlier this year about an existing vulnerability in its system - wherein if someone provided Twitter with their email address or phone number, Twitter would inform them of any Twitter accounts that the submitted email address or phone number might be linked to.
This flaw first appeared in June 2021, and Twitter later fixed it. When the information of over 5.4 million accounts was reportedly being sold on a hacker forum for $30,000 in July 2022, the company's claim that it had no evidence of a hacker utilizing this exploit was disputed.
BleepingComputer spoke with the threat actor, who disclosed that they had utilized a vulnerability to gather the data in December 2021. Interested purchasers have already approached them, and they are currently selling the data for $30,000
Twitter received the report that a threat actor took advantage of the vulnerability in July, and after closely reviewing a sample of the available data stolen, they confirmed that the threat actor had indeed exploited the security flaw before they could address it.
Read also: North Korean Hackers Are Attacking Gmail Accounts, According To a Cybersecurity Firm
Unable To Confirm
The microblogging platform also said that they would be directly notifying the accounts that were confirmed to have been impacted by the breach. However, the company admitted that they are still unable to confirm those affected accounts and are being cautious with "pseudonym accounts" that could be targeted by malicious actors.
"If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account," the company said.
Twitter stated that there was nothing users could do to secure their data at this point. Still, they should set two-factor authentication on all accounts to prevent security breaches from occurring once again.
Related Article: Elon Musk vs Twitter: Billionaire Accuses Twitter of Fraud Over Number of Fake Accounts
This article is owned by Tech Times
Written by Joaquin Victor Tacla
