Twitter confirms data leak: 5.4 million users affected

The attacker wanted $30,000 for the data sets. (Source: IMAGO / NurPhoto)

With the help of a security vulnerability, criminals were able to collect data records from 5.4 million Twitter users. They then offered the information for sale. Twitter has now confirmed the incident.

In a blog post last Friday, Twitter wrote that the breach had existed since June 2021 and was the result of an update. However, the company only learned of the problem on January 1, 2022, when a security expert reported the vulnerability to Twitter and received a reward of over $5,000 from the company as part of its bug bounty program, as is customary in the IT security industry.

The short message service said it patched the vulnerability “immediately” – on Jan. 13. “At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Twitter explained in the blog entry.

This assessment turned out to be wrong when Twitter user data was offered for sale in a forum in June 2022. Twitter itself also only learned about the stolen data through press reports in July 2022.

Bug in the security settings

The exploited vulnerability allowed anyone to enter an email address or phone number during the login process to check if it was associated with a Twitter account. Twitter revealed the associated account ID when it was hit, even if this feature was disabled in the account’s security settings.

Using the ID, the attacker was able to retrieve further public information about the respective account. This meant that users logged in under a pseudonym could also be identified.

The 5.485 million Twitter user records were offered for sale on the “Breached Forums” platform, as the IT security portal RestorePrivacy reports. The website had confirmed the authenticity of the records at the end of July and reported that they included user and plain names, as well as phone numbers and email addresses. Upon request, the seller demanded $30,000 for the information and confirmed that it had exploited said vulnerability in January.

Users defenceless

Twitter now wants to inform affected users. However, it is not possible for the service to identify all potentially affected accounts. There are no measures to be taken on the part of the users; passwords have not been stolen.

Instead, Twitter is providing general tips for protecting user accounts: “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

Users should also enable two-factor authentication. In the Twitter app, the setting can be found in the menu under “Settings and Privacy → Security and Account Access → Security → Two-Factor Authentication.” As useful as this security measure is for securing access to one’s own account, it would not have protected against the current data theft. (hcz)