A vulnerability in Twitter software that exposed an unknown number of anonymous account owners to possible identity compromise last year was apparently exploited by a malicious actor, the social media company said on Friday.
He did not confirm a report that the data of 5.4 million users was offered for sale online as a result, but said users around the world were affected.
The breach is particularly concerning because many Twitter account owners, including human rights activists, do not reveal their identities on their profiles for security reasons, including fear of persecution by repressive authorities.
“This is very bad for many using pseudonymous Twitter accounts,” US Naval Academy data security expert Jeff Kosseff tweeted.
The vulnerability allowed someone to determine during login whether a particular phone number or email address was linked to an existing Twitter account, thereby revealing the account’s owners, the company said.
Twitter said it did not know how many users might have been affected and stressed that no passwords were exposed.
“We can confirm that the impact was global,” a Twitter spokesperson said by email. “We cannot determine exactly how many accounts were affected or the location of account holders.”
Twitter’s acknowledgment in a blog post on Friday followed a report last month from digital privacy advocacy group Restore Privacy detailing how data allegedly obtained from the vulnerability was being sold on a popular hacking forum for $30,000 ( approximately Rs 28.9 lakh).
A security researcher discovered the flaw in January, reported it to Twitter, and was paid a $5,000 (approximately Rs. 4 lakh) reward. Twitter said the bug, introduced in a June 2021 software update, was fixed immediately.
Twitter said it learned of the data sale on the hacking forum through media reports and “confirmed that a bad actor had taken advantage of the issue before it was addressed.”
It said it was directly notifying all account owners it can confirm were affected.
“We’re posting this update because we can’t confirm all accounts that were potentially affected, and we’re particularly mindful of people with pseudonymous accounts that may be targeted by the state or other actors,” the company said.
It recommended users looking to keep their identities hidden not to add a publicly known phone number or email address to their Twitter account.
“If you operate a pseudonymous Twitter account, we understand the risks that an incident like this can present and we deeply regret that this has happened,” he said.
The disclosure of the breach comes as Twitter is in a legal battle with Tesla CEO Elon Musk over his attempt to back out of his earlier offer to buy San Francisco-based Twitter for $44 billion (approximately Rs. 3,500). million rupees).
Gadget360, an NonTV venture. We bring you the top tech news, which gadgets to buy (and skip), what to stream online, and more.