Twitter vulnerability leads to a data breach
According to Twitter’s official statement, the vulnerability enabled anyone to retrieve the associated Twitter account, if any, by submitting an email address or a phone number. As such, malicious actors could randomly enter an email address or a phone number, and if there’s an account linked to it, they could directly associate the available public information with that email address or a phone number. This may severely compromise the user’s privacy depending on how much information they share publicly on the internet. This vulnerability existed in the social media app since June 2021 and resulted from an update to its code. The company learned about it in January this year through its bug bounty program Hackerone. It immediately investigated the report and patched the bug. However, the worst had already happened. Someone had already exploited it and gathered information about more than 5.4 million Twitter users. These include celebrities and companies too. Twitter says that it wasn’t aware of the breach until last month when the malicious actor behind it revealed the breach publicly and offered to sell the information. The company checked the sample provided by them and confirmed the breach. The threat actor claims that they have information about 5,485,636 Twitter users. They offered to sell the data for $30,000 and had told BleepingComputer about potential buyers. However, the publication confirmed that two separate buyers purchased the data for much lesser. The threat actor may release the information publicly in the future.
Never share too much private information publicly
In its statement, Twitter said that it will be directly notifying users impacted by this breach. However, the company notes that it can’t confirm every account that may have been impacted. According to the firm, this data breach poses great identity risks to “people with pseudonymous accounts”. It encourages them to avoid adding a publicly known phone number or email address to their account. Well, it’s always advisable to not share too much private information publicly. While this breach didn’t compromise passwords, it’s a good idea to enable two-factor authentication (2FA) for social media accounts. This would prevent unauthorized access in case someone learns your password. Perhaps since two threat actors have already purchased the stolen data, there’s a possibility of phishing attacks trying to steal your login credentials. You may use apps like Microsoft Authenticator or any other of your choice for 2FA.
