Twitter was forced to report yet another security flaw in its systems which had allowed users to find out if a phone number or email address was connected to an existing Twitter account – which led to at least one hacker compiling a huge list of information about the Twitter account which then been sold online.
As explained by Twitter:
“In January 2022, we received a report through our bug bounty program regarding a vulnerability in Twitter’s systems. Due to the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the individual to which Twitter account the submitted email addresses or phone number were. associates, if applicable. When we learned of this, we immediately investigated and fixed the issue. ”
So essentially, by using Twitter’s tools designed to help users find connections that are also active in the app, you could theoretically create a database of Twitter accounts attached to any phone number or address. email that you have located on the web.
It’s not a huge reveal. In 2015, BuzzFeed used a similar flaw in Twitter’s systems to uncover the engraver account of a far-right politician in Australia. But it is the massive use of this process that could pose a problem.
This is exactly what happened:
“In July 2022, we learned from a news article that someone had potentially exploited this and was offering to sell the information they had compiled. After reviewing a sample of data available for sale, we confirmed that a bad actor took advantage of the issue before it was resolved.
Indeed, according to BleepingComputer, it is a person who used this flaw to build a database of 5.4 million Twitter account profiles “including a verified phone number or email address and retrieved public information, such as number of subscribers, username, login name, location, photo URL of profile and other information”.
The person, says BleepingComputer, was looking to sell the dataset for around $30,000, and several buyers have since acquired the cache.
It’s not a massive violation, because most of it is publicly available information – you’re not getting anything that isn’t freely available through other means on the web. But for users who were looking to separate their Twitter profile from their IRL identity, or those who might tweet about controversial topics, it means people could potentially track down their phone numbers, via this list, and harass them in a while. new way, and more extreme.
In fact, if you follow the breadcrumb trail, you could probably find a person’s address and other information as an extension of that dataset. For example, let’s say Twitter user @JohnDoe77 says something you don’t like – you can look up his username in that database, if you have access to it, and see if he has a number cell phone listed. You can then search for that number online and probably find other contact information etc.
The data itself may not appear to be an extreme breach, it does not reveal confidential information attached to your Twitter account, as such. But this is still potentially problematic. Which is not a good look for Twitter.
This isn’t the first time Twitter has faced a data misuse problem like this, either.
In 2018, the discovery platform a problem linked to one of its support forms, which exposed the country code of people’s phone numbers, whether they had one associated with their Twitter account, as well as whether or not their account had been locked. In 2019, Twitter also ffound that some email addresses and phone numbers that had been provided for account security had also been used for ad targeting, in violation of data usage regulations.
These are all relatively minor flaws, in a dataflow sense. But they don’t paint a good picture of Twitter’s ability to handle this and protect users’ personal information.
Twitter also needs to be very careful right now, given the ongoing legal battle over the Elon Musk takeover case. Currently, Musk and his team are seeking to get out of the deal, on the grounds that Twitter misrepresented his data, constituting a “material adverse effect”, meaning something material changed the original, the agreed terms, to the point that the platform no longer has the value it originally had at the time of the agreement.
Musk’s team is using Twitter’s fake account and spam numbers as key leverage here – but if a data breach like this were large enough, it could also be added to Musk’s legal case, giving him more reason to raise questions about the official representations of Twitter, which can then constitute a negative impact.
It doesn’t look like this breach would reach that level, but it’s another reminder for Twitter to check and recheck its systems to make sure there aren’t any major data breaches or exposure issues that could be used against them – both directly and in a legal sense.
At this time, however, Twitter is working to address the issue, closing the potential exploit and notifying affected account owners directly.
“We are issuing this update because we are unable to confirm all potentially impacted accounts, and are particularly mindful of individuals with pseudonymous accounts who may be targeted by the state or other actors.”
It’s not great, and it could get worse if this dataset falls into the wrong hands.
Essentially, it’s not a major issue right now, but it could be. And in the midst of its biggest legal battle, perhaps ever, Twitter doesn’t need another distraction — other than the direct impacts of the breach on those included on the list.