This has marked the 10th data breach in Twitter’s 16-year history beginning back in January 2009 when hackers infiltrated 33 high profile accounts. Other notable data breaches happened in November of 2019 when data from hundreds of accounts were exposed and July 2020 when bad actors took over high-profile accounts in Bitcoin scams.
Back in December, hackers used a zero-day vulnerability that linked email addresses and phone numbers to user accounts. The hack recently came to light as a hacker who goes by the name of “devil” posted on Beach Forums that they had possession of personal information from nearly 5.5 million Twitter users.
While the number of vulnerable accounts is said to be 5.4 million – Twitter admits they don’t know for sure. “We can confirm the impact was global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”
In a security advisory report – Twitter wrote, "This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability."
While not discovered until July – the data breach happened in December 2021. A month later in January 2022, Twitter received notification by a security researcher of the vulnerability through their bug bounty program – albeit a month too late.
If this wasn’t bad enough – many Twitter users stay anonymous for fear of persecution. The stolen data would allow buyers to see exactly who is behind these anonymous accounts. In a tweet, U.S. Naval Academy data security expert Jeff Kosseff agrees - “This is very bad for many who use pseudonymous Twitter accounts.”
While no passwords were stolen from this particular data breach – Twitter is still reminding their users to choose strong passwords and opt into 2-factor authentication. 2-factor authentication requires users to enter in two pieces of evidence to prove that they are who they say they are. This could be password; biometrics like a thumb print; or a verification code only the user has access to. If 2-factor authentication is turned on – even if a bad actor obtains a user’s password they still cannot access the account.
Twitter’s data breach couldn’t have come at a worse time for Twitter. They are currently in a legal battle with Tesla CEO Elon Musk after he attempted to back out of his offer to purchase Twitter for $44 billion.
Musk backed out of the initial Twitter deal over a disagreement on the number of spam accounts on the social media network – stating that Twitter had made “misleading representations” over the number of spam bots on the service. Twitter in turn sued Musk back.
According to the lawsuit – “From the outset, defendants’ information requests were designed to try to tank the deal.” The lawsuit goes on to state- “Musk’s increasingly outlandish requests reflect not a genuine examination of Twitter’s processes but a litigation-driven campaign to try to create a record of noncooperation on Twitter’s part.”