Account details of approximately 5.4 million Twitter users have been accessed by an individual using a security exploit, who then listed the information for sale on a hacking forum.
The exploit enabled a bad actor to acquire the email addresses and phone numbers linked with Twitter accounts, regardless of the users’ privacy settings. This vulnerability was specific to Twitter on Android and has since been resolved. Twitter recently acknowledged the security issue, saying it took action following a bug report in January 2022.
However, it appeared that someone took advantage of the issue before it was fixed and bided their time. In July 2022, a BreachForums user claimed on the hacking forum they had data on more than 5.4 million users including “celebrities” and “companies”. Further investigation found the user’s claim to be legitimate and that they were asking for no less than US$30,000 in exchange for the data.
In response to the potential sale of users’ data, Twitter announced it would directly notify account holders confirmed to be impacted. The social media company added that it couldn’t confirm every account involved and was “particularly mindful of people with pseudonymous accounts”. Twitter also reiterated the importance of enabling 2-factor authentication as an additional security measure but assured users that no passwords were exposed.
On the two-factor front, Twilio was recently caught up in a data breach of its own. Employees of the company behind the two-factor authentication app Authy fell victim to a phishing scam where they were tricked into visiting a fake Twilio login page. It resulted in 1,900 Signal users being impacted, too.
If you’re concerned you may be involved with a data breach, it’s worth visiting Have I Been Pwned? It’s a trusted site that notifies you of known breaches across many major websites. You can even receive notifications for when your details are found as part of a breach, serving as a good reminder to change passwords or shut down unused accounts.
LinkedIn was a major target for phishing attempts earlier in the year, so remember to take all precautions when it comes to digital security. If you’re not sure about a dodgy link, don’t click it – type the URL manually instead. Scamwatch is also a good resource to find out what to look out for locally.
