A Twitter vulnerability, which the company was aware of since January, has been exploited by hackers to scrape the contact information of around 5.4 million users. The information is now on sale online, with the hackers charging $30,000 for the fill list of user data.
At the start of the year, members of a popular hacking forum discovered a vulnerability which allowed attackers to acquire the phone number and email addresses of Twitter accounts, even if the user had hidden this information in their privacy settings. Twitter only initially acknowledged the vulnerability, but has only now admitted to the data being exploited on 5 August.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems…In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information that they had compiled,” a statement from Twitter reads.
This official acknowledgement from Twitter comes too late for many, as the company had known about the vulnerability on the platform since January.
It initially addressed the vulnerability on a specialised bug-finding site, but did not report the vulnerability publicly, nor later that the exploit had been leveraged. Twitter patched the vulnerability quickly, but data pulled from the site is now appearing online.
Technology YouTuber "Mental Outlaw" says that Twitter had not been transparent about the vulnerability.
"The worst part about this data breach, to me, is how Twitter disclosed the vulnerability. Even though this is a pretty bad leak, impacting one of the most popular social media platforms," the commentator said, "Twitter waited until somebody actually started selling the database of this info to disclose the leak themselves publicly on Twitter."
Hackers claim that the data includes the contacts of “celebrities, companies, ‘randoms’, and ‘OGs.’”
Twitter claims that it will directly notify the owners of some accounts included in the leaks but will not be able to confirm every account that was potentially impacted.
As such, Twitter users are advised to be extremely vigilant about phishing attacks, which may trick users into giving away their login credentials for sensitive accounts. This advice is particularly pertinent to individuals who could be “targeted by state or other actors.”
“If you operate a pseudonymous Twitter account, we understand the risk an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your twitter account,” a company statement reads.
Twitter assures that no user passwords were leaked as a result of the vulnerability, but still advises users to enable two-factor authentication on their account.