© Unsplash
Twitter reveals that a security breach has endangered the anonymity of more than 5.4 million Internet users. Thanks to this breach, it was possible to determine the identity of the user behind an account. Hackers exploited the vulnerability to steal sensitive data.
Twitter has just confirmed the existence of a major security breach. In a press release published on its website this Friday, August 5, 2022, the social network reveals that a zero-day breach was exploited by hackers. This is a flaw that has not yet been discovered by the developers before being exploited.
Thanks to this flaw, it was possible to link an anonymous Twitter account to an individual. As Twitter explains, all one had to do was “enter a phone number or email address” to find out “whether that information was linked to an existing Twitter account, and if so, which specific account.”
Also Read: Are You Really Too Talkative? Twitter is testing a tweet counter
A flaw exploited without the knowledge of Twitter
The breach was discovered last January as part of Twitter’s bug bounty program. According to the social network, the failure was caused by an update deployed in June 2021. When the flaw was discovered, there was no evidence that criminals had exploited the vulnerability. Twitter promptly patched the flaw, hoping to have gotten ahead of the cybercriminals.
Unfortunately, a hacker apparently exploited the Twitter breach before a fix was deployed. As we explained to you in July, a hacker put up for sale a file containing the data of 5.4 million accounts on Breached Forums. The individual put the data up for sale for $30,000. Interviewed by Bleeping Computerthe hacker, who calls himself Devil on the web, claims to have used the flaw to steal the data.
“After reviewing a sample of data available for sale, we confirmed that a malicious actor took advantage of the issue before it was resolved,” Twitter admits in its statement on its website.
Twitter notifies affected accounts
Twitter specifies that no password has been stolen by hackers. Among the hacked information, however, we find the geographical position, the URL of the account, the linked telephone number, the email address and the profile photo.
In the press release, Twitter undertakes to warn all Internet users affected by the leak. But, unfortunately, the American platform is not “able to confirm all accounts that have been potentially affected”. The social network specifies to focus on individuals who could represent a target for governments or other entities.
The social network especially fears that authoritarian governments rely on this data to flush out opponents of the regime. Many political dissidents indeed use Twitter to communicate. This is particularly the case in Iran, report our colleagues from CyberScoop.
“If the Iranian regime can get a copy of this data and then find their target, it doesn’t matter if the user deletes the account right now because they will be identified by cell phone number or email. In the end, it’s a losing game for a potential victim in Iran because we’ll never know of their existence. They will be arrested or even sentenced to death,” says Amin Sabeti, a computer security specialist in Iran.
Under these conditions, Twitter advises individuals who wish to remain anonymous to “not add a phone number or email address” to their account.
Twitter