I tweet accidentally exposed personal data – including phone numbers and email addresses – for 5.4 million accounts. And someone was trying to sell this information.
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email address or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about it, we immediately investigated and fixed it. At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially exploited this and was offering to sell the information they had compiled. After reviewing a sample of data available for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
This includes anonymous accounts.
This comment you are right:
So after forcing users to enter a phone number to continue using twitter, despite twitter not needing to know the users phone number, they then extract the phone numbers and associated accounts. Big.
But it gets worse… After being told about the leak in January, instead of disclosing the fact that millions of users’ data was open for anyone to see, they quietly patched it up and hoped no one else found it.
It wasn’t until the press began to take notice that they finally discovered the leak.
This isn’t just one mistake that causes a security breach—it’s a chain of bad decisions and bad security culture, and if anything should attract government fines for poor data security, this is it.
Twitter’s blog post unhelpfully goes on to say:
If you use a pseudonymous Twitter account, we understand the risks that an incident like this can bring, and we’re very sorry that this happened. To keep your identity as private as possible, we recommend that you do not add a publicly known phone number or email address to your Twitter account.
Three news articles.
*** This is a shared blog of the Security Bloggers Network by Schneier on Security, authored by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2022/08/twitter-exposes-personal-information-for-5-4-million-accounts.html