Twitter has confirmed a cyberattack that has resulted in the theft and leaking of the data of 5.4 million users of the platform.
The social network has indicated that it will send a notice to indicate to those affected that their confidential information has been exposed, although it has not confirmed the number.
The security breach allowed a Twitter account to be linked to a phone number or email address.
With this, you can expose the identity of users who use the social network under a pseudonym.
At the beginning of the year, the platform received a report through its program of
(errors) and rewards, managed by the firm HackerOne, about a security breach that fraudsters could take advantage of to access the data of its users, as explained now the company.
HackerOne is a platform that connects companies like Twitter with hackers so that they can test the security measures of the social network in search of flaws.
The goal is to detect them in exchange for financial rewards.
During the verification process of a duplicate account, a HackerOne user known as
discovered the vulnerability in question, which affected the version of Twitter for the Android operating system (the one used by most mobile brands, with the exception of Manzana).
The security breach allowed anyone who entered an email address or phone number to access the corresponding Twitter ID, if there was an account associated with that email or phone account.
This makes it possible for people who have pseudonymous accounts to be exposed.
As the firm acknowledged last Friday on its blog, the system error was the result of an update to its security code, implemented in June 2021. Twitter points out that, when it became aware of this problem, it investigated it "de right away” and fixed it.
"At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability," he said.
However, in July of this year, specialized media such as
reported on the collection and leaking of the data of 5.4 million accounts, information that was later put up for sale on the hacking forum Breached Forums.
After reviewing the data with which the cybercriminals were trading in this forum, the social network confirmed that they had taken advantage of the existing problem before a solution was given.
In this way, the social network has confirmed that the privacy of these 5.4 million users was violated and has indicated that it will proceed to notify it personally in cases where it can confirm that the data has been compromised.
"We are posting this update because we are unable to confirm every account that has potentially been affected, and we are particularly vigilant for people with pseudonymous accounts who may be targeted by states or other actors," the firm said on its blog.
In order for users to protect their accounts and shield the information they contain, the company has proposed a series of instructions, such as enabling two-factor authentication.
With this, it has indicated that the authors of the attack have not had access to the access passwords.
In addition, it has recommended that owners of anonymous accounts, to keep their identity as hidden as possible, do not associate them with a "publicly known" phone number or email.