At the beginning of January this year, about 5.4 million data records were stolen from Twitter due to a security hole. After the company confirmed the leak last week and wanted to inform affected users, the Have I Been Pwned Project added about 6.7 million Twitter records to the database.
The data pool consists of a total of 6,682,453 data records. Contains resume, email addresses, geographic location, names, usernames, profile pictures, and phone numbers. In addition to active accounts, the data block also contains suspended accounts. If you subtract approximately 1.4 million accounts, the total of 5.4 million accesses to Twitter, which the company has already confirmed, results in a rounding inaccuracy.
Exploiting the vulnerability in January
The vulnerability became known on January 1 on the HackerOne platform. Her discoverer reported it to Twitter as part of a bug bounty program and received a reward of about $5,000. As a result, the login process contained a vulnerability that allowed an attacker to associate a Twitter account with private information such as an email address and phone number, even though privacy settings should hide it.
Although the vulnerability could be exploited in the Twitter for Android app, the error originated from the server side. It is clear that an unknown attacker collected the data disclosed in this way before the gap closed on January 13 of this year and put it up for sale in July.
Even if the data does not contain passwords, Twitter recommends enabling multi-factor authentication (MFA). Thanks to the integration into the Have-I-Been-Pwned database, you can now check for yourself if your email address has been affected. Victims should be careful with incoming SMS or emails, for example – cybercriminals often use this type of information to make phishing attacks appear more reliable and thus convince victims to reveal other sensitive data such as passwords or MFA responses.
(DMK)
