Twitter has announced that a new security flaw within its system allowed users to uncover whether a phone number of email address was connected to an existing Twitter account. This flaw, according to Twitter, has led to at least one hacker having access to a huge listing of Twitter account information that was subsequently sold on the dark web.
So, how did it happen? Explaining, Twitter said:
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. When we learned about this, we immediately investigated and fixed it.”
Basically what that means is that when you use Twitter’s tools designed to help you find connections that are also active in the app, you could theoretically create a database of Twitter accounts linked to any phone number or email address that you found on the web.
“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
While this may not be defined as massive breach as it does not reveal private information linked to your Twitter account, it could still be a problem in the long run.
In 2020, Twitter revealed that hackers were able to access the DMs of up to 36 accounts, including that of an elected official from the Netherlands. The microblogging company at the time said while its investigation continues, it wanted to be more specific about the type of information the hackers had access to.
“We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 selected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.”
The name of the Dutch elected official affected by the hack remains anyone’s guess, but a local media had last week reported that far-right, anti-Islam politician Geert Wilders, had his account hacked. Speculations were further fueled by a hacker who was interviewed on Dutch Radio who claimed to have access to Wilder’s DMs at the time.