A hole in TwitterThe social media company said on Friday the software that left an unspecified number of owners of potentially anonymous accounts compromised last year, was apparently exploited by a malicious person.
It did not confirm a report that resulted in data on 5.4 million users for sale online but said users worldwide were affected.
The breach is particularly disturbing because many Twitter account owners, including human rights activists, do not disclose their identities in their profiles for security reasons including fear of repression by the authorities. arrests.
“This is very bad for a lot of people who use Twitter accounts with pseudonyms,” WE Naval Academy data security expert Jeff Kosseff tweeted.
The vulnerability allows someone to determine during the login process whether a particular phone number or email address is associated with an existing Twitter account, thereby revealing the account owner, the company to know.
Twitter said it didn’t know how many users might have been affected and stressed that no passwords were exposed.
“We can confirm the impact is global,” a Twitter spokesperson said by email. “We were unable to determine exactly how many accounts were affected or the location of the account holders.”
Twitter’s admission in a Friday blog post follows a report last month by digital privacy advocacy group Restore Privacy detailing how data could be obtained from the vulnerability. security was sold on a popular hacking forum for $30,000.
A security researcher discovered this vulnerability in January, notified Twitter and was paid a $5,000 bounty. Twitter said the bug, introduced in the June 2021 software update, was immediately fixed.
Twitter said it learned about the hack forum data sale from media reports and “confirmed that a bad guy took advantage of the issue before it was resolved.”
It said it has directly notified all account owners that it can confirm has been affected.
“We are publishing this update because we cannot confirm every potentially affected account, and are particularly mindful of those with fake accounts that could be targeted by the state or other actors. ,” said the company.
It recommends that users who are looking to conceal their identity, do not add a publicly known phone number or email address to their Twitter account.
“If you run a Twitter account under a pseudonym, we understand the risks an incident like this can pose and deeply regret that this happened,” it said.
The breach disclosure comes while Twitter is in a legal battle with Tesla CEO Elon Musk tried to back out of an offer to buy San Francisco-based Twitter for $44 billion earlier.
© 2022 Canadian Press
