The social media company says a vulnerability in Twitter’s software left an unspecified number of owners of anonymous accounts compromised last year appearing to have been exploited by an attacker. malicious, the social media company said on Friday.
It did not confirm a report that resulted in data on 5.4 million users for sale online but said users worldwide were affected.
The breach is particularly disturbing because many Twitter account owners, including human rights activists, do not disclose their identities in their profiles for security reasons including fear of repression by the authorities. arrests.
“This is very bad for a lot of people using fake Twitter accounts,” said US Naval Academy data security expert Jeff Kosseff. tweeted.
The vulnerability allows someone to determine during the login process whether a particular phone number or email address is associated with an existing Twitter account, thereby revealing the account owner, the company to know.
Twitter said it didn’t know how many users might have been affected and stressed that no passwords were exposed.
“We can confirm the impact is global,” a Twitter spokesperson said by email. “We were unable to determine exactly how many accounts were affected or the location of the account holders.”
Twitter’s admission in a Friday blog post follows a report last month by digital privacy advocacy group Restore Privacy detailing how data could be obtained from the vulnerability. security was sold on a popular hacking forum for US$30,000.
A security researcher discovered this vulnerability in January, notified Twitter and was paid a $5,000 bounty. Twitter said the bug, introduced in the June 2021 software update, was immediately fixed.
Twitter said it learned about the hack forum data sale from media reports and “confirmed that a bad guy took advantage of the issue before it was resolved.”
It said it has directly notified all account owners that it can confirm has been affected.
“We’re publishing this update because we can’t confirm every potentially affected account, and are particularly mindful of those with fake accounts that could be targeted by the state or other actors. “, the company said.
It recommends that users who are looking to conceal their identities, not add publicly known phone numbers or email addresses to their Twitter accounts.
“If you run a Twitter account under a pseudonym, we understand the risks an incident like this can pose and deeply regret that this happened,” it said.
The disclosure of the breach comes while Twitter is in the midst of a legal battle with Tesla CEO Elon Musk over his attempt to back out of an offer to acquire San Francisco-based Twitter for $44 billion. America before.