In a development that is of relevance to millions of people around the world, microblogging website Twitter has officially confirmed that data of over five million users was hacked through a vulnerability in its system earlier this year.
The Free Press Journal examined a data sample of 56 users and noted that out of these, three were Indian and one, if not Indian, was at least Asian. In a post uploaded on its website on Friday, Twitter stated that a vulnerability in its system (now patched) could allow someone to simply enter an email address or phone number and find all Twitter accounts connected to it.
This works even if a Twitter user has the best of privacy settings on one’s account. In its update, Twitter said that the bug resulted from an update to its code in June 2021.
“When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter said.
A ‘bug bounty program’ is an initiative undertaken by most tech giants, where they offer bounties to independent ethical hackers in exchange for finding vulnerabilities in their system.
In this case, the bug was found by a hacker known online as “zhirinovskiy”, and he was paid $5,040. The ramifications of the bug were huge, as a patient hacker could simply keep entering phone numbers one by one and gather data of Twitter accounts associated with it, stumbling upon celebrities in the process.
Further, the information could be compiled and sold on the dark web to interested parties, which is known as Personally Identifiable Information (PII).
Everyone’s worst fears unfortunately came true in July this year, when a threat actor uploaded a post on a dark web forum, offering hacked data of over 5.4 million Twitter users for sale. The hacker, identifying himself as “devil”, had put up a small sample for authentication.
Twitter, in its official update, said, “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed. We will directly notify the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”