Twitter and “Data Breach”: An All Too Common Headline

Twitter warned of vulnerability

A hacker with a heart alerted Twitter to a zero-day vulnerability that would have a serious impact on user privacy and security. On the 1st of January 2022, the ethical hacker known as “zhirinovskiy” submitted a detailed report through Twitter's HackerOne bug bounty program.

It showed how anyone with even the slightest knowledge of scripting or coding could link email addresses and phone numbers to Twitter users' accounts.

Zhirinovskiy warned that anyone armed with this information could easily compile a list and sell it to advertisers or worse, to malicious parties for malicious deeds.

Image source: HackerOne

After verifying the details in the report, Twitter acknowledged the bug as a “valid security issue” and set about rectifying the matter. It turned out that the bug stemmed from a Twitter code update seven months previous in June 2021.

On 13 January 2022, five days after receiving the bug report, Twitter marked the issue as resolved and rewarded the ethical hacker with a bounty of $5,040 for his white hat hacker work.

Disaster averted. Or so it seemed.

Twitter hacked: The data breach of 2022

Fast-forward to July 2022, and it was suddenly made clear that the ethical hacker wasn't the only one who had noticed the bug. A hacker with darker intentions had obviously stumbled across the vulnerability and had taken advantage of it before it was fixed. (They did have a seven-month window of opportunity to do so!)

The bad actor using the handle “devil” posted on the infamous hacker forum, Breached Forums, declaring that they had over 5.4 million Twitter user details for sale.

Image Source: BleepingComputer

According to reports by Bleeping Computer, the security, and technology news site, the list has since been sold. Twice. And for less than the original asking price of $30,000. The seller also told their reporters that the data will likely be made available for free in the future.

What details were leaked in the latest Twitter hacked affair?

This latest data breach included details for Twitter users from around the world, from celebrities to companies, and random everyday people. In their public incident report, Twitter stated that no passwords were exposed which is little consolation when you consider what was!

Verified phone numbers and email addresses, as well as scraped public information, such as follower counts, screen name, login name, location, and profile picture, were all leaked.

Twitter said at the time that they were in the process of directly notifying the affected account owners but also stated that they were unable to confirm all of the accounts impacted.

This data breach had particular ramifications for pseudonymous Twitter accounts. Human rights activists, whistleblowers, political dissidents, and those who fear retaliation from governments, religious groups, or families for their expression of opinions could be in serious danger.

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.” - Twitter Help Center

Even though Twitter did react swiftly once informed of the bug, the damage was already done and the incident is just another blow to Twitter's already shaky security reputation.

Data breaches: Twitter's track record

Twitter has been on the social media scene since 2006 and over the years has seen more than its fair share of data breaches. And with a skeleton staff thanks to Elon Musk's rapid firing since taking over, chances are they're likely to see more.

Here's a rundown of the biggest Twitter data breaches from the last five years.

August 2022: Spies in the house of Twitter

As well as dealing with the fallout of the zero-day vulnerability bug, a data breach that came to light in November 2019 has reared its ugly head. Back then, two members of staff were arrested on suspicion of espionage.

On August 9, 2022, former Twitter manager, Ahmad Abouammo, was finally convicted of spying for Saudi Arabia. He was found guilty of gathering and handing over personal data, targeting those who had used anonymous accounts to criticize the Kingdom and the Saudi royal family.

In a statement for the Department of Justice, US Attorney Stephanie Hinds said,

“Abouammo violated a sacred trust to keep private personal information from Twitter's customers and sold private customer information to a foreign government. Abouammo's decision to accept bribes in exchange for providing to a foreign government the protected information of customers could have untold damaging consequences.”

July 2020: Bitcoin Twitter scams

Twitter was the scene for a Bitcoin scam that also targeted YouTube. The Twitter scam saw the hacker(s) take over 130 high-profile accounts for the likes of Bill Gates, Barack Obama, and Elon Musk.

The hijacker posted fake messages inviting the account holder's followers to send Bitcoin to an address and the amount would be doubled and returned. The attackers used spear-phishing techniques to gain access to Twitter's internal administration tools and bypass security measures.

The Twitter scam's payout before it was contained was over $100,000 in Bitcoin transfers.

Dmitri Alperovitch, a co-founder of cyber-security company CrowdStrike, described the incident as: "the worst hack of a major social media platform yet."

September 2019: Two-factor authentication details leaked

In October 2019, Twitter had to hang its head in shame as it confessed that the Twitter system had accidentally incorporated data provided for two-factor authentication into its ad systems.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes...” – Twitter Help Center

Twitter also didn't handle the situation particularly well.

The data breach took place in September 2019 but Twitter didn't come clean about the incident for about another three weeks. And even then, they were a bit hazy on the details such as how many users were affected and how long the issue had been going on.

December 2018: Phone number country codes exposed

In mid-December 2018, Twitter announced that it had become aware of a security flaw on one of its support forms. The bug exposed the phone number-country code for Twitter users and if the account was locked or not.

The bug would technically give malicious actors the ability to determine which country an account was located in.

While country codes aren't necessarily considered sensitive personal information for the majority of general users, for some that small detail could be enough to put their life at risk.

Twitter-hacked activists, whistleblowers, political dissidents, and users targeted for “silencing” could be tracked down by angry governments or other bad actors seeking retaliation.

Twitter's update on the matter suggested this was a very real threat:

“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.” – Twitter Help Center

May 2018: System bug exposed all passwords

While there was no evidence that a data breach actually occurred in May 2018, Twitter discovered a bug that had exposed the passwords of the entire user base. The passwords were also unencrypted, making them readable to anyone who had access to the system.

The company ended up recommending that all 330 million Twitter users immediately change their passwords as a precaution.

The 2018 incident is probably the most embarrassing of the Twitter hacked headlines...so far. But there is always time!

How to protect yourself from Twitter scams and hacking?

Twitter's “About account security” has the usual tips on how to keep your account and your data safe. Things like using 2-FA and strong passwords that you change often can help protect you from data breaches but as you can see from the examples above, they aren't 100% safe.

Despite its failings, Twitter does provide a valuable service for many activists, giving them a platform to avoid censorship. But doing it safely is the key!

Our advice is, if you want to keep using Twitter, then follow their account safety tips, conduct regular scans of your computer for viruses, spyware, and adware, and ensure your browser and operating systems are kept up to date.

Of course, there is only one way to completely remove the risk of being collateral damage in a Twitter hacked headline, and that is to delete your Twitter account. Check out the Hoody step-by-step guide to deleting your Twitter account.