Twitter has confirmed that a data set of 5.4 million Twitter accounts that went on sale on the dark web in July was in fact genuine, after a hacker exploited a bug in the company’s systems to steal the data.
The information, which has been used to build a database of email addresses and phone numbers linked to Twitter accounts, could reveal the true identities of pseudonymous (often described as “anonymous”) Twitter accounts.
Although no passwords were exposed, the platform has advised users to install two factor-authentication on their user accounts. Password managers should also be utilized to enhance your account security, and extra caution should be taken when responding to emails from Twitter, security experts have said.
Twitter’s Counter-Productive Update
The story stems back to June 2021, when a Twitter update inadvertently led to the creation of a system bug.
The company was notified of this bug during a bug bounty program by a user called “zhirinovskiy” in January of 2022. Twitter paid the user over $5,000 in bounty payment for the report.
The company said in a statement on Friday that after becoming aware of the code, it was amended immediately, closing the exploit. The social media platform says there was no evidence anyone had exploited it.
However, in July 2022, news of a hacker selling the personal information of 5.4 million Twitter for a fee of $30,000 users made headlines across the press.
According to Bleeping Computer – who made direct contact with the threat actor – the data was taken from Twitter’s systems during December 2021. Accounts belonging to celebrities and major companies are claimed to be among those compromised.
A Dangerous Vulnerability
According to Zhirinovskiy, “The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.”
The bug itself, he explains, “exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
The way the vulnerability can be exploited is by plugging in email addresses and phone numbers and seeing if a corresponding Twitter ID exists. Subsequently, a database can be built with this information and the Twitter ID that matches.
In this way, it shares similarities with the way 533 million users had their Facebook data scraped last year.
In Twitter’s statement released on Friday, it said the company was “publishing this update because we aren’t able to confirm every account that was potentially impacted,” and highlighted the risk it might cause to “people with pseudonymous accounts who can be targeted by state or other actors.”
Twitter and Anonymity
Twitter’s warning about pseudonymous accounts shouldn’t be taken lightly.
Depending on the content of the dataset, any number of people who use “anonymous”/pseudonymous Twitter accounts because they live under an oppressive regime that would otherwise punish their actions could be exposed.
Although regularly used to hurl abuse at public figures without repercussion, anonymous accounts on sites like Twitter have provided a vital lifeline to whistleblowers and activists – as well as members of ethnic, religious, and sexual minority groups – in countries where they would otherwise have no voice.
This was especially useful on a public platform like Twitter, where the potential for engagement is so high and the possibility of making a tangible difference is vast.
The current news might make people in those situations less inclined to use Twitter as a tool to further their causes, or simply protect themselves from state persecution – which could mean an exodus to less secure or less impactful platforms.
Protecting Your Identity – and Your Account
Even if you’re creating a pseudonymous Twitter account, this recent data exposure is a testament to why you should also use an email address not associated with your real-world identity.
You can avoid attaching your phone number to a Twitter account too by just not adding it, and if you need an external way to verify your account for two-factor authentication, use an authenticator app instead.
Treat emails from Twitter with extreme caution, especially now there’s data out there that can be used for phishing campaigns. If an email purporting to be from Twitter asks you to input your account details, contact Twitter through an official communication channel to verify whether the email is legitimate.
If you are worried your government may persecute you for what you say online, a VPN is a worthwhile investment. VPNs decouple your IP address from your internet traffic, so it would be more difficult to find out your true location if you use one.
Lastly, remember to use a password manager. There’s no point in instating all these security precautions if your first line of defense is weak.
Password managers will securely store all your passwords in one place – and this means you’ll be able to make them all completely unique. Importantly, you’ll also be able to make them as long as you like without worrying whether you’ll remember them or not.
In a world where data breaches are on the rise – and hundreds of companies hold our personal information – using the security provisions immediately available to you is the very least you can do.