Twitter Confirms Vulnerability Exposed Data of Anonymous Account Owners (twitter.com) 17
Friday the Twitter Privacy Center posted an announcement on their blog:
"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."
Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.
If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.
"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."
Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.
If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.
I wonder if the email and phone were both confirme (Score:2)
The thing about nefariously obtained data is there are no consequences for fraudulent information in it.
Twitter mostly bots (Score:1)
Re: (Score:1, Funny)
Everybody left Twitter as soon as Donald J. Trump left the platform. All that is still using Twitter is the Tesla bots.
Re: (Score:2)
Everybody left Twitter as soon as Donald J. Trump left the platform.
He "left" the platform? Is that how you guys are trying to spin it now?
Dude got kicked off for being a serial liar.
Re: (Score:1)
Reddit doesn't *really* require an email, either. Just skip it. Dark patterns, dark patterns, and more dark patterns...
Dont link a phone number? (Score:2)
Lets remember all the information twitter owns are valuable assets. No matter what the EULA says, if and whe
Re: (Score:2)
I'm assuming you had an existing account because I don't think it's even possible to create an account without a phone number linked to it anymore. If you somehow manage to achieve that and/or if you don't provide enough personal information on the account, your account gets suspended and they force you to put in a phone number. That's what happened to me when I created my account a year ago - I was flagged as sus in about 10 minutes.
Re: (Score:2)
Old accounts are fine and they stopped nagging about ... oh, say January.
Re: (Score:2)
I've done one better. No Twitter account.
or in other words (Score:2)
Burner phone (Score:3)
My Twitter account is linked to a burner phone / sim card not used for any other online accounts. Best $1 ever spent.
Re: (Score:2)
Is there a way to get a burner phone that can't be linked back to you from another zero-day?
Re: (Score:2)
Why zero days? It's surely a case of cyber intelligence and linking data sources. You can never be certain but if you know how the system works and are super careful, it's possible to lower the chance of detection to near zero.
Why is this a risk .. (Score:2)
If injecting a phone number into the login flow can reveal which account it belongs to (even if the login fails), how would that differ for named vs anonymous accounts? Sure, you don't get a real person's name. But the pseudonym might be enough.
Give thanks to Twitter (Score:1)