Twitter has acknowledged and addressed a vulnerability in its system that could have exposed private and pseudonymous accounts. The company confirmed fixing the issue in June 2022, but initial discovery likely occurred earlier that year.
How the Flaw Worked
The vulnerability functioned by allowing someone to enter a phone number or email address into Twitter’s login process. This process could potentially reveal if the information was linked to an existing account, thereby exposing the username. Twitter traced the bug back to a code update implemented in June 2021.
Initial Denial Followed by Data Leak
While Twitter initially believed the vulnerability remained unexploited, a report from a security researcher surfaced six months later. This report revealed that data from over 5.4 million private and pseudonymous accounts, including those belonging to “celebrities and companies,” appeared for sale on a dark web marketplace.
Twitter’s Response and User Protection
Twitter will directly notify verified accounts that were demonstrably impacted. However, the company acknowledges the challenge of identifying all affected users, especially those with pseudonymous accounts who could be targeted by malicious actors. As a precautionary measure, Twitter urges all users to activate two-factor authentication to bolster account security.
A Pattern of Vulnerabilities
This incident follows a similar vulnerability in 2020 that exposed direct message details on some Android and iOS devices. While Twitter has addressed both issues, these incidents raise ongoing concerns about user privacy on the platform. Moving forward, Twitter will need to prioritize robust security measures and user data protection to rebuild trust with its userbase.
