Twitter accounts exposed in major security snafu

Twitter says a flaw in its code exposed the identities of certain account holders

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A flaw in Twitter’s code allowed threat actors to link accounts with theemailaddresses registered against them, potentially exposing theidentitiesof their operators, the social network has confirmed.

Late last week, the company disclosed the flaw in ablog post, in which it apologized for the inconvenience and explained the problem was fixed as soon as it was discovered.

The exploit took advantage of the way Twitter treated failed log in attempts. When someone tried to log in using an email address or a phone number, even if they typed in the wrong password, Twitter used to do two things:

This meant that people running pseudonymous accounts could have had their identities exposed.

Selling data on the dark web

The flaw was first spotted in mid-2021. At the time, Twitter said it couldn’t find any evidence of abuse. “This bug resulted from an update to our code in June 2021,” the company wrote.

A year later, Twitter learned through a press report that someone had actually compiled a list of user accounts with this method and tried to sell it.

Twitter apologized for the inconvenience, said it fixed the issue as soon it was unveiled, and said it will directly notify account owners that were impacted by this problem.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Twitter’s edit button isn’t going to be what any of us really wanted>Millions of Twitter accounts could be at risk of attack due to these security flaws>These are the best endpoint protection services today

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company added.

The microblogging platform has been getting a lot of limelight lately, ever since eccentric billionaire Elon Musk said he intended to acquire it. The future of the deal will now be decided at the Delaware Chancery Court, after Musk attempted to bow out, ostensibly due to volume of bots operating on the platform.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics