Twitter confirmed Friday that a bad actor used a vulnerability to match private information with potentially anonymous Twitter accounts, posing risks to users’ privacy.
The vulnerability allowed someone to match an email or phone number to any Twitter accounts tied to that information and the name of the accounts, Twitter wrote in a press blog.
“We can confirm the impact was global,” a Twitter spokesperson said in an email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”
No passwords were compromised in the breach.
Twitter said it would directly notify account owners it confirmed were affected. The company did not provide several accounts it confirmed as affected by the security breach. However, news outlet Bleeping Computer reported in July that the threat actor allegedly put data from 5.4 million users up for sale after exploiting the breach. Twitter notes that it became aware of the data abuse through a press report but does not cite the source or any additional details.
The social media giant noted it could not confirm the full impact of the breach.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter said in a blog.
The exposure could put accounts using anonymity as a guard against harassment and potential violence, especially accounts belonging to dissidents of authoritarian countries, in serious harm. User information is so valuable to autocratic states that a former Twitter employee now stands trial for allegedly accepting payments from the Saudi Arabian government in exchange for sharing information on political dissidents.
In Iran, Twitter has also become a popular platform for political dissidents.
Data exposed in the Twitter breach would be a gold mine for authorities in countries such as Iran or Saudi Arabia, says Cerfta Lab founder Amin Sabeti, who specializes in Iran-related security research. Sabeti has identified state actors going after private accounts in the past, using social engineering techniques like posing as an attractive woman to get an account to reveal real personal information.
“If the Iranian regime can get a copy of this data and then find their target, it doesn’t matter if the user deletes the account right now because the user will be identified via mobile number or email,” Sabeti wrote in a message to CyberScoop. “Eventually, it is a lost game for the potential victim in Iran and we might never ever hear from them. They will be arrested or even sentenced to death.”
Such a massive set of data could also be exploited for commercial purposes including advertising.
Twitter addressed the vulnerability after a researcher reported it through the company’s bug bounty program in January 2022, which means any accounts created after then should be unaffected by the incident. The company says the bug was the result from a 2021 code update.
This isn’t Twitter’s first stumble with consumer privacy. In May, Twitter agreed to pay a $150 million fine to settle a complaint from the Justice Department alleging the company between 2014 and 2019 used information account holders provided for security verification for advertising purposes without user permission. In 2020, Irish regulators fined Twitter nearly half a million dollars for a bug that exposed private tweets.
The company is warning users to not tie sensitive data to anonymous accounts.
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” Twitter wrote in its blog Friday. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”