Twitter has confirmed to have been victim of the cyberattack that has resulted in the theft and leaking of the data of 5.4 million users of the platform, to whom it will send a notice to indicate that your confidential information has been exposed.
At the beginning of the year, the platform received a report through its ‘bugs’ (errors) and bounty program managed by the firm HackerOne about a security hole that fraudsters could exploit to access the data of its users, as he now explains in his blog.
Specifically, the HackerOne platform connects companies like Twitter with ‘hackers’ so that they test the social network’s security measures, looking for flaws, with the aim of detecting them in exchange for financial rewards.
During the process of verifying a duplicate account, a HackerOne user known as ‘zhirinovskiy’ discovered the vulnerability in question in the version of Twitter for Androidd.
This security hole allowed anyone who entered an email address or phone number could access the corresponding Twitter IDif there is an account associated with said email or number.
As the company has recently acknowledged, in an entry published in the Privacy section of its blog, this system error was the result of an update to your security codeimplemented in June 2021.
Twitter has pointed out that, when he became aware of this problem, he investigated it “immediately” and requested. “At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability,” she said.
However, in July of this year, specialized media such as RestorePrivacy reported on the collection and leaking of data from 5.4 million accounts, information that was subsequently was put up for sale on the hacking forum Breached Forums.
After reviewing the data with which the cybercriminals were marketing in this forum, the social network confirmed that they had taken advantage of the existing problem before giving it a solution months before.
Thus, it has been confirmed that the privacy of these users was violated and has indicated that it will proceed to notify the owners of the affected accounts that their data has been leaked, although it does not really know all those that have been affected.
In order for users to be able to protect their accounts and shield the information they comprise, the company has proposed a series of indications, such as enabling two-factor authentication. With this, he has pointed out that in this attack, the threat actors have not had access to the access credentials.
In addition, it has recommended that owners of anonymous accounts, in order to keep their identity as hidden as possible, do not associate them with a “publicly known” phone number or email.