Twitter was the victim of a “zero day” flaw that allowed hackers to steal personal data from more than 5 million social network accounts. The breach has been closed, but the threat remains for the victims.
In January, Twitter obtained confirmation of a flaw in the code of its identification system, via its bug hunting program (bug bounty). The vulnerability caused that if someone submitted an email address or phone number to Twitter’s system, the latter would report the Twitter account associated with the ID.
Activate two-factor authentication!
This bug actually comes from a code update dating back to June 2021. When the social network became aware of this breach, an investigation was carried out and a fix was quickly developed. At this time, Twitter has no evidence that could suggest the vulnerability has been maliciously exploited.
However, last month, Twitter learned through the press that a hacker offered to sell information from this flaw. After reviewing a sample of this undercover data, the company confirms that a “bad actor” did indeed take advantage of the breach before it was plugged. The database would have found a buyer for 30,000 dollars.
It contains information on 5.4 million Twitter users, who will be contacted directly by the social network. For all those who cannot be warned, the company has chosen to communicate publicly about the flaw so that everyone can take precautions.
The information contained in the database is e-mail addresses, telephone numbers or location. Account passwords are fortunately not affected. Twitter strongly recommends setting up its two-factor verification system in order to benefit from this additional security which greatly reduces malicious login attempts.