- Twitter revealed that the recent data leak of millions of profiles resulted from the 2021 data breach that the company disclosed in August 2022.
- The bug caused this issue was a result of a code change in June 2021 and it allowed hackers to obtain whether a specific phone or email was linked to an existing account.
- The company encourages its users to enable 2-factor authentication using authentication apps and beware of possible email phishing.
The social media giant Twitter has responded to recent reports of a leak in Twitter’s systems, confirming that the exposed information of millions of profiles resulted from the 2021 data breach that the company disclosed in August 2022.
The recently exposed data is from the 2021 leak
In August, Twitter revealed that a bug was exploited to obtain user data before a patch was rolled out. The flaw was abused to collect data on 5.4 million users. As a result, the data was shared on a hacker forum by a user.
The vulnerability was allowing someone to submit an email address or phone number to Twitter’s systems. And then Twitter’s systems would show the person what Twitter account the submitted email address or phone number was associated with if any.
Twitter confirms that this flaw resulted from an update to its code in June 2021. Related to recent data breach reports, Twitter said in its blog post;
« In November 2022, some press reports published that Twitter users’ data had been allegedly leaked online. As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases. »
Twitter adds that in July 2022, the company learned about the data breach through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. The seller claimed that the database was containing data emails, phone numbers of users, and screen names ranging from celebrities to companies. The seller also shared a sample of data in the form of a CSV file.
2-factor authentication is recommended
Twitter investigated the data samples which were on sale. Afterward, it was confirmed that someone took advantage of the bug before it was fixed. At the time, Twitter notified the affected users immediately.
In its blog post, Twitter highly recommends its users to uses enable 2-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins. The company also encourages Twitter users to remain extra vigilant when receiving any kind of communication over emails. The threat actors may leverage the leaked information to create very effective phishing campaigns.