Twitter has been confirmed Victim of cyberattack that resulted in 5.4 million users’ data being stolen and leaked platform to which it will send a notification to indicate that Your confidential information has been exposed.
At the beginning of the year, the platform received a report through the ‘bugs’ (bugs) and bounties program managed by the HackerOne firm. a vulnerability that scammers can exploit to access their users’ data, as he now explains on his blog.
Specifically, the HackerOne platform connects companies like Twitter with ‘hackers’ to test the social network’s security measures, looking for flaws and spotting them in exchange for financial rewards.
During the process of verifying a duplicate account, a HackerOne user known as ‘zhirinovskiy’ Discovered the vulnerability in the version of Twitter for AndroidD.
This vulnerability allowed anyone to enter an email address or phone number can access the corresponding Twitter IDif there is an account associated with that email or number.
As the company recently admitted, in an entry posted in the Privacy section of its blog, this system error it was the result of an update to your security codeImplemented in June 2021.
Twitter pointed out, When he became aware of this problem, he “immediately” investigated and made a request.. “At the time, we had no evidence that anyone was exploiting the vulnerability,” he said.
However, in July of this year, private media like RestorePrivacy reported on data collection and leaks from 5.4 million accounts. Available for sale on hack forum Violated Forums.
After reviewing the data that cybercriminals were marketing on this forum, the social network confirmed that they took advantage of the existing issue before offering a solution months ago.
Thus it was confirmed These users have been compromised and that it will continue to notify owners of affected accounts that their data has been leaked, but that those affected don’t really know all of it.
In order for users to protect their accounts and protect the information they contain, the company proposed a series of indicators, such as enabling two-factor authentication. With this, it was stated that the threat actors in this attack did not have access to the access credentials.
In addition, to keep their identities as confidential as possible, anonymous account holders, don’t associate them with a “public” phone number or email.