Connect with us

Hi, what are you looking for?

Social Media

Twitter Reports New Security Flaw Which Has Led to the Exposure of 5.4 Million Accounts

bG9jYWw6Ly8vZGl2ZWltYWdlL1R3aXR0ZXJfbG9nb19kYXJrX2JsdWUuanBn


Twitter has been forced to report yet another security flaw within its systems that had enabled users to uncover whether a phone number or email address was connected to an existing Twitter account – which has led to at least one hacker compiling a huge listing of Twitter account information that was then subsequently sold online.

As explained by Twitter:  

In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. When we learned about this, we immediately investigated and fixed it. 

So, essentially, by using Twitter’s tools designed to help users find connections that are also active in the app, you could theoretically create a database of Twitter accounts attached to any phone number or email address that you located on the web.

This is not a huge revelation. Back in 2015, BuzzFeed used a similar flaw in Twitter’s systems to uncover the burner account of a far-right politician in Australia. But it’s the mass-use of this process that could lead to problems.

Which is exactly what’s occurred:

“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”

Advertisement. Scroll to continue reading.

Indeed, according to BleepingComputer, it’s spoken to a person who used this flaw to compile a database of 5.4 million Twitter account profiles ‘including a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information’.

The person, BleepingComputer says, has been looking to sell the dataset for around $30k, and several buyers have reportedly since acquired the cache.

It’s not a massive breach, as this is, for the most part, publicly available info – you’re not getting anything that’s not freely available via other means on the web. But for users that had been looking to keep their Twitter profile separate from their IRL identity, or those that might be tweeting about divisive topics, it does mean that people could potentially track down their phone numbers, via this list, and harass them in a whole new, and more extreme, way.

In fact, if you follow the breadcrumbs, you could likely track down a person’s address and other info as an extension of this dataset. For example, let’s say Twitter user @JohnDoe77 says something that you don’t like – you could search for their username in this database, if you had access, and see if they have a mobile number listed. You could then search for that number online, and likely find further contact info, etc.

The data itself may not seem like an extreme breach, it’s not revealing confidential info attached to your Twitter account, as such. But it’s still potentially problematic. Which is not a good look for Twitter.

It’s also not the first time that Twitter has dealt with a data misuse issue of this type.

Back in 2018, the platform uncovered an issue related to one of its support forms, which exposed the country code of people’s phone numbers, if they had one associated with their Twitter account, as well as whether or not their account had been locked. In 2019, Twitter also found that some email addresses and phone numbers that had been provided for account security had additionally been used for ad targeting purposes, in violation of data usage regulations.

These are all relatively minor flaws, in a data flow sense. But they don’t paint a great picture of Twitter’s capacity to manage such, and to keep people’s personal information safe.

Twitter also needs to tread very carefully right now, given the ongoing legal battle in the Elon Musk takeover case. At present, Musk and his team are seeking to exit the deal, on the basis that Twitter has misrepresented its data, constituting ‘Material Adverse Effect’, which means that something significant has altered the original, agreed upon terms, to the point that the platform is no longer as valuable as it originally was at the time of the agreement.

Advertisement. Scroll to continue reading.

Musk’s team is using Twitter’s fake and spam account numbers as the key lever here – but if a data breach like this were significant enough, that too could be added to Musk’s legal case, giving it more grounds to raise questions over Twitter’s official representations, which may then constitute adverse impact.

It doesn’t seem like this breach would reach that level, but it’s another reminder for Twitter to check and re-check its systems to ensure that there are no major data flaws or exposure concerns that could be used against them – both directly and in a legal sense.

Right now, however, Twitter’s working to manage the issue, by closing the potential exploit and directly notifying the account owners impacted.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”

It’s not great, and it could get a lot worse if that dataset falls into the wrong hands.

Essentially, this isn’t a major problem right now, but it could become one. And in the midst of its biggest legal battle, possibly ever, Twitter doesn’t need another distraction – aside from the direct impacts of the breach on those included in the list.





Source link

Click to comment

Leave a Reply

Latest

Loan And Finance

From left, Firefighters Sergio Porras, Jerome Alton and Natasha Rodocker mop up hot spots while battling the Oak Fire in the Jerseydale community of Mariposa County,...

Social Media

Google’s looking to add more context to its Search results, in order to mitigate the spread of misinformation, by adding improved contextual data matching...

Top Stories

The chief of Australia’s financial services regulator Joe Longo has raised the alarm over the sheer amount of people that invested in “unregulated, volatile”...

Texas

On Wednesday, the commissioners court of Zavala County—the 11,000-person county immediately south of Uvalde—passed a resolution urging Republican Governor Greg Abbott to call a...

Florida

South Florida burger missionary Jeffrey Lemmerman, better known by his Instagram handle, Cheffrey Eats, claims not to know that this is National Sandwich Month:...

California

Former President Donald Trump called late Thursday for the “immediate” release of the federal warrant the FBI used to search his Florida estate, hours...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement