Twitter Breach of 5.4M Accounts

Lawrence Abrams (Hacker News):

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

[…]

This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.

[…]

While no passwords were exposed in this breach, Twitter is encouraging users to enable 2-factor authentication on their accounts to prevent unauthorized logins as a security measure.

For those using a pseudonymous Twitter account, the social media company suggests you keep your identity as anonymous as possible by not using a publicly known phone number or email address on your Twitter account.

Giving Twitter your phone number was supposed to provide more security, but in this case it seems like it made it easier to look up accounts and link them to other public information.

Previously:

• SMS Rerouting Vulnerability
• Twitter Account Hacked via SIM Reset

Update (2022-08-12): See also: Bruce Schneier.

Breach Privacy Security Short Message Service (SMS) Twitter Two-Factor Authentication (2FA) Web

Comments RSS · Twitter

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ