Musk-owned Twitter has finally confirmed the reports of the recent data leak of millions of user profiles in November 2022.
The micro-blogging social media platform confirmed that the recent leak resulted from the same data breach they disclosed in August 2022. As per the resources, Twitter’s incident response team has checked the leaked user data from November 2022.
The team has confirmed that the data was confiscated using a vulnerability that came along with an update back in June 2021. However, Twitter also says the vulnerability was already fixed in January 2022.
The recent data leak is reported to have disclosed the email addresses and phone numbers of millions of Twitter users.
The Extent of Data Compromised
The reports indicate that the threat actor had allegedly collected the phone numbers and email addresses of over 5.4 million user profiles before Twitter could curtail the vulnerability.
It included public and non-public data. The scrapped data was posted for sale on hacker forums in July 2022 for $30,000. Other threat actors also released the same records in different file formats in September 2022 and November 2022, with the data of all the 5.4 million users that were originally scrapped in 2021.
During the same time, a researcher also released samples with records of scrapped Twitter user profiles that didn’t belong to the original set of earlier scrapped 5.4 million user profiles.
Reportedly, this data set is much bigger and contains over 17 million user records, all collected using the same API vulnerability.
Twitter first got the report of its user data being compromised in January 2022 through its bug bounty program. The report claimed that an API vulnerability was allowing the leak.
In its official blog, Twitter has explained that if you submit a phone number or an email address to Twitter’s systems, it’ll give you the Twitter account to which the submitted phone number or email address is associated, if there’s any.
Twitter says someone took advantage of the bug and compiled the data to sell it.
Twitter doesn’t intend to compromise the privacy of its users. Therefore, users’ email addresses and phone numbers available in the public domain are a significant threat to user privacy, especially those who prefer anonymity on the platform.
Twitter Urges Users to Be Vigilant
Twitter, however, points out that no user passwords were compromised while the data was confiscated. Irrespective of its safety claims, the social media platform urges its users to be extra vigilant and activate two-factor authentication using the device’s access security and third-party authentication apps to prevent unauthorized logins.
Twitter has also requested users to practice discretion when opening and clicking on links in emails related to Twitter accounts. They warned users to be wary of emails that convey dire urgency, ask for their private information, and also check the legitimacy of the mail.
The platform has issued a form through which users can get in touch about their privacy concerns. Moreover, Twitter has also mandated using phone numbers to verify users on its Twitter Blue platform as a measure of user safety.
Even though Twitter claims that the previous data leak resulted from a vulnerability, which they’ve already fixed in early 2022, they have yet to confirm the precise number of users affected or exposed during the leaks.