MADRID, 8 Ago. (Portaltic/EP) –
Twitter has confirmed having been a victim of the cyberattack that has resulted in the theft and leaking of the data of 5.4 million users of the platform, to whom it will send a notice to indicate that their confidential information has been exposed.
Earlier in the year, the platform received a report through its firm-managed ‘bugs’ and bounty program HackerOne about a security breach that fraudsters could take advantage of to access the data of its users, as now explained on your blog.
Specifically, the HackerOne platform connects companies like Twitter with ‘hackers’ for them to test the security measures of the social network, in search of failures, with the aim of detecting them in exchange for financial rewards.
During the process of verifying a duplicate account, a HackerOne user known as ‘zhirinovskiy’ discovered the vulnerability in question in the version of Twitter for Android.
This security breach allowed anyone who entered an email address or phone number to access the corresponding Twitter ID, if there was an account associated with that email or number.
As the company has recently acknowledged, in an entry published in the Privacy section of its blog, this system error was the result of an update to its security code, implemented in June 2021.
Twitter has pointed out that, when it became aware of this problem, it investigated it “immediately” and requested it. “At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability,” she said.
–
However, in July of this year, specialized media such as RestorePrivacy, reported collecting and leaking the data of 5.4 million accounts, information that was later put up for sale on the hacking forum Breached Forums.
After reviewing the data with which the cybercriminals were marketing in this forum, the social network confirmed that they had taken advantage of the existing problem before giving it a solution months before.
In this way, it has confirmed that the privacy of these users was violated and has indicated that it will proceed to notify the owners of the affected accounts that their data has been leaked, although he really does not know all those that have been affected.
In order for users to protect their accounts and shield the information they contain, the company has proposed a series of instructions, such as enabling two-factor authentication. With this, it has indicated that in this attack, the threat actors have not had access to the access credentials.
In addition, it has recommended that owners of anonymous accounts, to keep their identity as hidden as possible, do not associate them with a “publicly known” phone number or email.
–