It mainly affected those who use pseudonyms in their users.
Twitter confirmed this Friday that cybercriminals took advantage of a vulnerability in the application to leak information from at least 5.4 million users.
“We can confirm that the impact was globala Twitter spokesperson said in an email. “We cannot determine exactly how many accounts were affected or the location of the account holders,” they said. However, cybersecurity analysts estimated that figure in the impact.
The incident mainly affected accounts that use pseudonyms so as not to be identified: although there are many bot Y “trolls” Under this logic, many users prefer not to be publicly identified on social networks. The security breach exposed emails and phone numbers of those accounts.
Twitter said it will notify affected account owners directly, but information that surfaced in July this year on a personal data buying and selling forum points to 5.4 million accounts.
Twitter, in fact, indicates in its statement that it became aware of the data abuse through a press report, but does not cite the source or additional details.
“We are posting this update because we cannot confirm all accounts that were potentially affected, and we are particularly aware of people with pseudonymous accounts that may be attacked by the state or other actors”, said Twitter in a blog.
What type of accounts were affected
The exhibition could endanger to accounts that use anonymity as protection against harassment and potential violence, especially accounts belonging to dissidents from authoritarian countries.
To take a few examples, user information is so valuable to autocratic states that a former Twitter employee is now facing trial for allegedly accepting payments from the Saudi Arabian government in exchange for sharing information about political dissidents. In Iran, Twitter has also become a popular platform for political dissidents.
The data exposed in the Twitter breach would be of great use to authorities in countries like Iran or Saudi Arabia, says Cerfta Lab founder Amin Sabeti, who specializes in security research related to Iran.
Sabeti identified state actors who have gone after private accounts in the past, using social engineering techniques such as posing as an attractive woman to obtain an account that would reveal real personal information.
“If the Iranian regime can get a copy of this data and then find their target, it doesn’t matter if the user deletes the account right now because the user will be identified through a mobile number or email,” Sabeti wrote in a statement. message to Cyber Scoop. “Eventually, it is a losing game for the potential victim in Iran and we may never hear from them. They will be arrested or even sentenced to death.”
Such a massive set of data could also be exploited for commercial purposes, including advertising.
Twitter addressed the vulnerability after a researcher reported it through the company’s bug bounties program in January 2022, meaning any accounts created after that date should not be affected by the incident. The company says the bug was the result of a 2021 code update.
This is not the first problem of its kind on the social network. In May, Twitter agreed to pay a $150 million fine to settle a Justice Department complaint that alleges the company between 2014 and 2019 used account holder information provided to verify security for advertising purposes without the user’s permission.
In 2020, Irish regulators fined Twitter nearly half a million dollars for a bug that exposed private tweets. The company warns users not to link sensitive data to anonymous accounts.
“If you operate a pseudonymous Twitter account, we understand the risks that an incident like this can present and we regret deeply that this has happened”, Twitter wrote on its blog on Friday.
To keep your identity as hidden as possible, we recommend that you do not add a publicly known phone number or email address to your Twitter account.
The official statement from Twitter