Twitter has announced that it has patched a security vulnerability following the leak of data for 5.4 million users. Millions of data were sold on hacker forums for USD 30,000.
This security vulnerability allows anyone to enter a user's phone number or email address and find out if the information is linked to an existing Twitter account and then retrieve the account ID.
The hacker then uses this ID to siphon all public information related to the account. This loophole is considered dangerous because it can expose the identity behind an account with a pseudonym or an alter account.
This vulnerability allowed hackers to create a database containing profiles of 5.4 million Twitter users in December 2021. The database contains phone numbers, email addresses, number of followers, screen names, usernames, locations, profile photo URLs, and other information.
Twitter said this security flaw emerged as a result of an update to its code that was uploaded in June 2021. The existence of this bug was only discovered six months later by security researchers who reported it to Twitter through its bug bounty program.
According to the bounty bug report, the vulnerability poses a serious threat to owners of private accounts or accounts with pseudonyms, and can be used to create a database containing important Twitter user information.
But the warning from the security researcher was too late. Within a span of six months, hackers managed to exploit the vulnerability and create a database containing email addresses and phone numbers belonging to 5.4 million Twitter users.
"We're releasing this update because we weren't able to confirm every potentially impacted account, and were especially concerned about people with pseudonyms that could be targeted by other countries or actors," Twitter said in a statement. 8/2022).
"If you are running a pseudonymous Twitter account, we understand the risk this incident could pose and we are very sorry this happened."
Twitter said it would provide direct notifications to users affected by this data leak. But the bird logo company could not confirm how many users were affected.
Although user passwords are not exposed in this data leak, Twitter advises users to enable two-factor authentication. For users who want to hide their identity, Twitter recommends using a private email address or phone number.