A vulnerability in Twitter’s software that exposed an unspecified number of anonymous account owners to possible identity fraud last year was apparently exploited by a malicious actor, the social media company said Friday.
It did not confirm a report that data on 5.4 million users were put up for sale online as a result, but said users worldwide were affected.
The breach is especially worrisome as many Twitter account owners, including human rights activists, are not disclosing their identities in their profiles for security reasons, including fear of prosecution from repressive authorities.
“This is very bad for many who use pseudonymous Twitter accounts,” tweeted Jeff Kosseff, a data security expert at the US Naval Academy.
The vulnerability allowed someone to determine while logging in whether a particular phone number or email address was associated with an existing Twitter account, revealing account owners, the company said.
Twitter said it did not know how many users may have been affected and stressed that no passwords were disclosed.
“We can confirm that the impact was global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were affected or the location of the account holders.”
Twitter’s acknowledgment in a blog post on Friday followed a report last month by digital privacy advocacy group Restore Privacy detailing how data believed to have been obtained from the vulnerability was sold on a popular hacking forum for $30,000 (approximately Rs. 28.9 lakh).
A security researcher discovered the flaw in January, informed Twitter and was awarded a reported bounty of $5,000 (approximately Rs. 4 lakh). Twitter said the bug, introduced in a June 2021 software update, was immediately fixed.
Twitter said it learned about the sale of data on the hacking forum through media reports and “confirmed that a bad actor had taken advantage of the issue before it was addressed.”
It said it directly notified all account owners it can confirm were affected.
“We are publishing this update because we are unable to confirm every account that may have been affected, and we are especially on the lookout for people with pseudonymous accounts who may be targeted by state or other actors,” the company said.
It advised users who wish to keep their identities hidden not to add a publicly known phone number or email address to their Twitter account.
“If you have a pseudonymous Twitter account, we understand the risks that an incident like this can pose and we deeply regret that this happened,” the message read.
The disclosure of the breach comes as Twitter is in a legal battle with Tesla CEO Elon Musk over its bid to pull out of its previous offer to buy San Francisco-based Twitter for $44 billion (approximately Rs. 3,500 crore). ).