Twitter reported yet another security flaw within its systems that had enabled users to uncover whether an email address or phone number was linked to an existing Twitter account. The breach led to at least one hacker compiling a huge list of Twitter account info that was later sold online. Wow, now that’s some instant marketing right there.
As Twitter explained:
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. When we learned about this, we immediately investigated and fixed it. ”
Data Breach Rev. Ed.
Theoretically, this tells us that anyone could have made a database of Twitter accounts attached to either an email address or phone number by using Twitter’s tools designed to help users find active connections in the app. Though concerning, it’s not that huge of a revelation, seeing as how a similar incident already happened back in 2015. BuzzFeed used the flaw in Twitter’s system to uncover the ‘Burner Account’ of a far-right politician in Australia. It’s the widespread use of this process that might lead to trouble – which is exactly what happened.
According to BleeperComputer, they’ve spoken to a person who has used this flaw to compile a database of 5.4 million Twitter accounts, including ‘a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information’. Bleeper says that the same person looks to sell the dataset for around $30,000, several buyers since then have reportedly acquired the cache.
It’s not a ‘Massive’ breach for the most part, as this was at least publicly available info, but for users that had been looking to separate their real-life identities from their Twitter ones or wanted to Tweet about divisive topics without catching too much flak in-person, this would make them more vulnerable in the real world as ‘haters’ could now potentially track them down and cause all kinds of trouble. As an example, let’s say that you didn’t quite agree with what user @Loud.mouth said. You can type in their username in the database, provided you have access and see if they either have an email address or mobile number listed. After acquiring either info, you can then look them up online to find more of their personal data. Again, the data itself might not seem like an extreme breach, but it could still be an issue.
There have been other security flaws with Twitter over the last four years. In 2018, the platform uncovered an issue related to one of its support forms, which uncovered the country code of people’s phone numbers. Meanwhile, in 2019, Twitter also found that some emails and phone numbers that had been given for security had been used for ad targeting purposes, breaching data usage terms.
The Wrap
These may be relatively minor flaws, but they do paint a picture of Twitter’s capacity to manage and safeguard its users’ personal information. Twitter should tread carefully right now, especially if they mean to win their legal tussle with Elon Musk and Co. Though this recent breach isn’t anywhere near Musk’s speculations about the real value of fake and spam accounts on the platform, it’s a good reminder for Twitter to check its systems to ensure that there are no major data flaws or exposure concerns.
Right now, Twitter is at least working to resolve the concern by closing the potential exploit and directly notifying those with impacted accounts. It’s not great, but it’s better for Twitter to take a hit than have the dataset fall into the wrong hands. It may not be a big problem now, but it could be, which is why Twitter should quell it while it can.
Subscribe to our‘Bottoms Up!’ Newsletter. Get the latest social media blogs about news, updates, trends, and effective social media strategies to take your business to the highest level from Tristan Ahumada and Jeff Pfitzer.
Please note:
This action will also remove this member from your connections and send a report to the site admin.
Please allow a few minutes for this process to complete.
