Twitter has confirmed that it was a victim of the cyberattack that resulted in the theft and leak of the data of 5.4 million users of the platform, to whom it will send a notice indicating that their confidential information has been exposed.
At the beginning of the year, the platform received a report via its “bugs” (errors) and rewards program managed by the firm HackerOne concerning a security flaw that fraudsters could take advantage of to access their users’ data, as it explains it now on his blog. .
Concretely, the HackerOne platform connects companies like Twitter with “hackers” so that they test the social network’s security measures, looking for flaws, with the aim of detecting them in exchange for financial rewards.
During the process of verifying a duplicate account, a HackerOne user known as ‘zhirinovsky’ discovered the vulnerability in question in the version of Twitter for android.
This security flaw allowed anyone who entered an email address or phone number to access the corresponding Twitter ID, if there was an account associated with that email or number.
As the company recently acknowledged, in an entry in the Privacy section of its blog, this system error was the result of an update to its security code, implemented in June 2021.
Twitter pointed out that when it became aware of this issue, it investigated it “immediately” and requested it. “At the time, we had no evidence to suggest anyone took advantage of the vulnerability,” he said.
However, in July this year, specialist media such as RestorePrivacy reported on the collection and leaking of data from 5.4 million accounts, information which was then put up for sale on the hacking forum Breached Forums.
After reviewing the data the cybercriminals were marketing with in this forum, the social network confirmed that they had taken advantage of the existing problem before giving it a fix months ago.
In this way, he confirmed that the privacy of these users had been violated and indicated that he would proceed to notify the owners of the accounts concerned that their data had been leaked, although he does not really know all those who have been affected.
In order for users to protect their accounts and protect the information they contain, the company has offered a series of instructions, such as enabling two-factor authentication. With this, he indicated that in this attack, the threat actors did not have access to the access credentials.
Additionally, he recommended that owners of anonymous accounts, to keep their identities as hidden as possible, do not associate them with a “publicly known” phone number or email.