Twitter confirms that a data breach leaked email addresses and phone numbers of users

Ashwin
Aug 8, 2022
Twitter
|
6

Twitter has confirmed that it suffered a data breach which leaked the email addresses and phone numbers of users. The issue came to light after a hacker leaked a sample of the data.

Twitter confirms that a data breach leaked email addresses and phone numbers of users

How did the Twitter data breach happen?

In a statement published on its blog, Twitter explains how the issue occurred. It says that the developers had updated the site's code in June 2021, as part of its regular operations. The code unfortunately contained a bug which allowed users to submit an email address or phone number via a login form, and in turn Twitter's system would reveal which account the data was associated with.

The social networking company received a report about the bug in January 2022, and  fixed the vulnerability to protect its users. The gap of 6 months from when the issue began and was fixed, is quite large and hackers could have potentially mined the data, but Twitter did not find any evidence to indicate that the bug had been exploited by bad actors.

ADVERTISEMENT

So, if it happened 6 months ago, why is Twitter revealing it now? It says that a media report that was published recently, had revealed that hackers may have misused the vulnerability in order to gain access to the sensitive data. Twitter reviewed a part of the data that was available online, and confirmed that someone had indeed extracted the data. This seems to have happened before the vulnerability had been patched.

The social network says that it cannot confirm whether all users are affected by the issue, but that it will alert users whose accounts were impacted. Twitter also reassured users that no passwords were compromised in the data breach.

While the company may have declined to reveal the information regarding the number of impacted accounts, a report published by Bleeping Computer in July 2022, reveals that a hacker claimed they had access to user data from over 5.4 Million accounts. The hacker had put up the details for sale on the dark web for about $30,000. This is likely the media report that Twitter was referring to.

Since this is a server-side vulnerability, there is nothing that users can do. Twitter has advised users to enable 2-factor authentication to keep their accounts safe. It also asked users who have pseudonymous accounts, not to use a publicly known phone number or email address with their account, to keep their identity a secret.

Note: If you get an email from Twitter asking you to login to your account, pay attention to the sender's name, the URL, etc. It could well be a phishing attempt.

It maybe a good idea to start using a secondary email address (or email-aliases) for social networks, this will not only protect your primary email ID, but can also help prevent junk mails from landing in your inbox.

Twitter has a serious bot problem too, which is one of the reasons why a recent acquisition attempt by tech mogul, Elon Musk, fell through.

Do you use your primary email address and phone number with your Twitter account?

Summary
Twitter confirms that a data breach leaked email addresses and phone numbers of users
Article Name
Twitter confirms that a data breach leaked email addresses and phone numbers of users
Description
Twitter suffered a data breach that leaked email addresses and phone numbers of users. Here's what happened.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Frankel said on August 8, 2022 at 3:52 pm
    Reply

    >Do you use your primary email address and phone number with your Twitter account?

    No sir, and the only reason they allowed me to dodge the phone number was that I used a FIDO2 compatible hardware 2FA key to secure my account with a second factor. In my book that should be a default option. If they really have my security in mind allow me to chose alternatives like TOTP generators and 2FA keychains over leaking my most sensitive data.

    Most companies don’t care about your security, they say the text messages are for protection, but they are to syphon your data. Google allowed me to dodge phone numbers way harder. MS banned me because I didn’t provide a phone number. Support tried to coerce me into giving the phone number first. It took me weeks to have my deactivated account deleted threatening them with a GDPR complaint.

    Also I am sure they want phone numbers because EU law makes it impossible to buy burner phones. The SIM cards do not activate unless you buy them and present a citizen ID here. A phone number is thus requested by the government to hunt outliers down who post hate messages online.

    ThinkPol and Bigbrother are a reality. A VPN and TOR are useless once they have your phone number. I rate this article Doubleplus Good.

    1. owl said on August 9, 2022 at 12:48 pm
      Reply

      @Frankel,
      > Most companies don’t care about your security, they say the text messages are for protection, but they are to syphon your data. Google allowed me to dodge phone numbers way harder. MS banned me because I didn’t provide a phone number. Support tried to coerce me into giving the phone number first. It took me weeks to have my deactivated account deleted threatening them with a GDPR complaint.
      Also I am sure they want phone numbers because EU law makes it impossible to buy burner phones. The SIM cards do not activate unless you buy them and present a citizen ID here. A phone number is thus requested by the government to hunt outliers down who post hate messages online.
      ThinkPol and Bigbrother are a reality. A VPN and TOR are useless once they have your phone number. I rate this article Doubleplus Good.

      I fully agree with Frankel’s view.
      Well, I do not use social networking service (Facebook, Twitter, etc.), however I have had similar experiences with using Microsoft and Google services, and several of them locked my account and prevented me from continuing to use their services.
      I can’t agree with their requirements, so stopped using those services.

  2. Tachy said on August 8, 2022 at 5:11 pm
    Reply

    Adding more personal information to a vunerable account is so stupid a blind man can see it.

    TFA is in theory a good idea but in practice it’s used as just another way to build your advertising profile so that it’s more profitable which in fact makes your data less secure.

  3. Chris said on August 8, 2022 at 6:46 pm
    Reply

    Report was first published on restoreprivacy.com very useful website in general…

  4. Plants said on August 11, 2022 at 6:56 am
    Reply

    What kinda dummies put their phone numbers into Twitter?
    I doesn’t even ask for one.

  5. Sonny said on September 11, 2022 at 3:37 pm
    Reply

    Something to consider: a person suddenly and unexpectedly loses their ability to FOCUS “ normally “

    Then, SUDDENLY tasks such as READING becomes VERY DIFFICULT. And, as fate would have it, Twitter suffered a security breach exactly at the same time TWITTER initiates a 24 hr TIME OUT. So with the breach and the TO requesting my email address is near impossible to provide.
    1 more thought: how can anyone contact a company who doesn’t publish a way to COMMUNICATE Then ?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.