Twitter has been forced to report yet another security flaw within its systems that had enabled users to uncover whether a phone number or email address was connected to an existing Twitter account – which has led to at least one hacker compiling a huge listing of Twitter account information that was then subsequently sold online.
As explained by Twitter:
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. When we learned about this, we immediately investigated and fixed it. ”
So, essentially, by using Twitter’s tools designed to help users find connections that are also active in the app, you could theoretically create a database of Twitter accounts attached to any phone number or email address that you located on the web.
This is not a huge revelation. Back in 2015, BuzzFeed used a similar flaw in Twitter’s systems to uncover the burner account of a far-right politician in Australia. But it’s the mass-use of this process that could lead to problems.
Which is exactly what’s occurred:
“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
Indeed, according to BleepingComputer, it’s spoken to a person who used this flaw to compile a database of 5.4 million Twitter account profiles ‘including a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information’.
The person, BleepingComputer says, has been looking to sell the dataset for around $30k, and several buyers have reportedly since acquired the cache.
It’s not a massive breach, as this is, for the most part, publicly available info – you’re not getting anything that’s not freely available via other means on the web. But for users that had been looking to keep their Twitter profile separate from their IRL identity, or those that might be tweeting about divisive topics, it does mean that people could potentially track down their phone numbers, via this list, and harass them in a whole new, and more extreme, way.
In fact, if you follow the breadcrumbs, you could likely track down a person’s address and other info as an extension of this dataset. For example, let’s say Twitter user @JohnDoe77 says something that you don’t like – you could search for their username in this database, if you had access, and see if they have a mobile number listed. You could then search for that number online, and likely find further contact info, etc.
The data itself may not seem like an extreme breach, it’s not revealing confidential info attached to your Twitter account, as such. But it’s still potentially problematic. Which is not a good look for Twitter.
It’s also not the first time that Twitter has dealt with a data misuse issue of this type.
Back in 2018, the platform uncovered an issue related to one of its support forms, which exposed the country code of people’s phone numbers, if they had one associated with their Twitter account, as well as whether or not their account had been locked. In 2019, Twitter also found that some email addresses and phone numbers that had been provided for account security had additionally been used for ad targeting purposes, in violation of data usage regulations.
These are all relatively minor flaws, in a data flow sense. But they don’t paint a great picture of Twitter’s capacity to manage such, and to keep people’s personal information safe.
Twitter also needs to tread very carefully right now, given the ongoing legal battle in the Elon Musk takeover case. At present, Musk and his team are seeking to exit the deal, on the basis that Twitter has misrepresented its data, constituting ‘Material Adverse Effect’, which means that something significant has altered the original, agreed upon terms, to the point that the platform is no longer as valuable as it originally was at the time of the agreement.
Musk’s team is using Twitter’s fake and spam account numbers as the key lever here – but if a data breach like this were significant enough, that too could be added to Musk’s legal case, giving it more grounds to raise questions over Twitter’s official representations, which may then constitute adverse impact.
It doesn’t seem like this breach would reach that level, but it’s another reminder for Twitter to check and re-check its systems to ensure that there are no major data flaws or exposure concerns that could be used against them – both directly and in a legal sense.
Right now, however, Twitter’s working to manage the issue, by closing the potential exploit and directly notifying the account owners impacted.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
It’s not great, and it could get a lot worse if that dataset falls into the wrong hands.
Essentially, this isn’t a major problem right now, but it could become one. And in the midst of its biggest legal battle, possibly ever, Twitter doesn’t need another distraction – aside from the direct impacts of the breach on those included in the list.