Millions of Twitter (NYSE: TWTR) accounts are believed to be compromised by a hacker after stolen user data was put up for sale online.
Twitter confirmed the breach last week, noting in the blog post that the breach involved a security flaw previously discovered through Hacker One. The vulnerability was patched in January shortly after the report was received, and a $5,000 bounty paid to the white hat hacker that discovered it. Twitter noted that it had no evidence at the time that anyone had exploited the flaw.
The company has said that it will be in direct contact with any users confirmed to have been affected by the breach. Twitter isn't currently certain how many of the 5.4 million entries in the illicit sale listing are genuine as the seller has only made a sample publicly available.
How Was the Data Stolen, and How did Twitter not Know?
The breach was deeply detailed by the white hat hacker "Zhirinovsky" in a report made through Hacker One in January. According to the report, hackers could use the email or phone number of a user to obtain their Twitter ID, which could then be used to obtain private information behind the account using a few known methods.
If Twitter knew in January that it had a major security flaw, how did it not know data had been stolen?
Twitter has suffered from hacks in the past that were responded to much more quickly, such as the 2020 hackings accounts belonging to several public figures. Unlike those attacks, which were immediately noticeable due to the high-profile accounts that had been hacked, there were no outward indications of data theft.
In other major hackings, such as the recent theft of a Chinese police database, it is only when stolen data is made available online that theft is discovered.
The data stolen in the Twitter breach was discovered by Restore Privacy on a notorious hacking forum in July. Both Restore Privacy and BleepingComputer contacted affected users whose data was in the sample, receiving confirmation that the information was genuine.
How Will This Affect User Privacy on Twitter?
It is unlikely that Twitter will disclose how many of the millions of entries are genuine if it is ever able to view the stolen data in its entirety. However, it is still very likely that many users could be affected as more than one source has verified the authenticity of the sample data.
In addition to regular users potentially having their identities compromised, many of Twitter's anonymous users could potentially wind up doxed. The vulnerability allowed hackers bypass Twitter's privacy settings, meaning that even the identities of users of any account was fair game.
Unless the database is recovered by Twitter or the authorities, or leaked online, it is unlikely that the true extent of the breach will be known, leaving the privacy of many of the platform's users in question.