December 3, 2022


Twitter confirmed that someone exploited the zero-day vulnerability to gain access to user data.

company Says(Opens in a new window) In a blog post about the incident, the vulnerability in question “allowed someone to enter a phone number or email address into the login flow in an attempt to find out if that information was associated with an existing Twitter account, and if so, what specific account”.

Twitter says the flaw was introduced in the June 2021 update, a statement(Opens in a new window) by a security researcher in January, then corrected later that month. “At the time, we had no evidence to suggest that someone had exploited the vulnerability,” the company says.

Now that has changed. Computer Reports(Opens in a new window) That someone exploited this vulnerability to scrape information about 5.4 million Twitter accounts — including the phone number or email address discovered via this flaw as well as publicly available data — before patching it.

Twitter says it “learned through a press report that someone took advantage of this and was offering to sell the information they collected” in July. The company then reviewed a portion of the data being sold and confirmed that it was legitimate.

“We will notify account owners directly who we can confirm are affected by this issue,” Twitter says. “We are publishing this update because we are unable to confirm every account potentially affected, and we are particularly aware of people with accounts under pseudonyms that could be targeted by the state or other actors.”

Recommended by our editors

Twitter officially recommends “not adding a publicly known phone number or email address to your Twitter account” if you’re using an alias. This advice cannot be applied retroactively, however, to Twitter Users pay regularly(Opens in a new window) To associate their phone numbers with their accounts.

Twitter did not immediately respond to a request for comment.

Like what you read?

sign for Security Monitor A newsletter of our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, deals or affiliate links. Subscribing to a newsletter indicates your agreement to Terms of use And the privacy policy. You can unsubscribe from newsletters at any time.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *