Massive hack on Twitter

Twitter confirms hacking of millions of accounts: change your password and these security settings

Twitter has confirmed an attack revealing the identity and data of more than 5 million accounts.

Those who protect their privacy behind a pseudonym account on this social network should review the configuration and security settings of their profiles. Twitter has confirmed an attack made public a month ago in which 5.4 million accounts were made public along with their phone numbers and personal emails.

The company is attempting to notify all affected accounts of the problem, but advises taking action as soon as possible, tightening profile security and unlinking accounts from data such as email or phone numbers for added security. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can present.”

The hack occurred in January. Twitter then disclosed a vulnerability found in early 2022, thanks to its bug bounty program, and a fix was completed on Jan. 13. In that time, however, hackers exploited the weakness in the system to access data.

The breach allowed an unauthenticated person with sufficient knowledge to provide a phone number or email address for Twitter’s systems to offer the account associated with that data, even if the account owner had prohibited that action in privacy settings.

“At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability,” Twitter explains. However, in mid-July, the company learns that a database of 5.4 million accounts born from this vulnerability is being sold on the Internet for $30,000. “After reviewing a sample of the data available for sale, we confirmed that a bad actor had taken advantage of the problem before it was fixed,” the company now states.

The sale of such information may be for “advertising purposes or the purpose of identifying celebrities in malicious activity.” Suspended accounts can also be found, opening up the scope of the leak even further. This data, it should not be forgotten, is often used in new phishing and identity theft campaigns.

Having already repaired the breach, in the face of the disclosure of the stolen data,…