A security vulnerability on Twitter allowed a lousy actor to find out the account names associated with specific email addresses and phone numbers, Twitter confirmed on Friday.
Twitter initially restored the issue in January after receiving a notification through its bug bounty program, but a hacker managed to manipulate the flaw before Twitter even comprehended it.
The vulnerability, which stemmed from the platform’s update to its code in June 2021, went unnoticed until earlier this year. It gave hackers several months to exploit the flaw. However, Twitter “had no evidence to suggest someone had taken advantage of the vulnerability” at its discovery.
A hacker exploited the vulnerability while it flew under Twitter’s radar. The hacker reportedly compiled a database of over 5.4 million accounts by taking advantage of the flaw and then tried to vend the information on a hacker forum for $30,000. After examining the data posted to the forum, Twitter verified that its user data had been compromised.
It’s still murky how many users have been affected, though, and Twitter doesn’t seem to know. While Twitter says it intends to notify affected users, it isn’t “able to confirm every account that was potentially influenced.” As a result, Twitter advises anyone concerned about their secret accounts to enable two-factor authentication and attach an email address or phone number that isn’t publicly comprehended to the account they don’t enjoy being associated with.
Please abide by the following steps:
Modify your password: Please alter your password immediately from the Password tab in settings. If you are logged out, log in and connect on Forgot Password to reset your password. Please choose a strong password you haven’t employed before. If you are unable to log in, your account may have been hacked.
Altering an account’s password does not automatically log the account out of Twitter for iOS or Android applications. To log the account out of these apps, get into it online and visit Apps in your settings. From there, you can withdraw access to the application, and the next time the app is launched, a prompt will solicit that the new password is entered.
If you frequently receive the password reset messages you did not request, you can require that your email address and phone number be entered to initiate a password reset. Find instructions and information about resetting your password.
Ensure email address is secure: Ensure that the email address attached to your account is safe and that you are the only one with admission to it. You can modify your email address from your Twitter app (iOS or Android) or by logging in on twitter.com and seeing the Account settings tab. See this article for instructions for updating your email address and for additional email account security tips.
Revoke connections to third-party applications: Visit Apps in your settings while logged in. Withdraw access to any third-party application that you don’t recognize. For example, if you use the teams feature in TweetDeck, we strongly recommend you check the member’s list to remove any users you don’t remember. You can learn more about the teams features.
Update your password in your authorized third-party applications: If an entrusted external application uses your Twitter password, ensure to update your password in that application. Otherwise, you may be temporarily shut out of your account due to failed login attempts. Your account should now be snug, and you shouldn’t see unexpected account behaviors moving forward. If you’re still encountering issues, please file a support request for assistance.
Protect your account with simple safeguards
Take these additional precautions in case your account has been compromised:
- Delete any undesirable Tweets that were posted while your account was compromised.
- Inspect your computers for viruses and malware, especially if unauthorized account manners continue to be posted after you’ve changed the password.
- Install security patches for the operating system and applications.
- Always use a strong and new password you don’t use elsewhere, which would not be easy to guess.
- Consider using two-factor authentication. Instead of just a password, login verification introduces a second check to ensure that you and only you can access your Twitter account.
How do Twitter accounts become compromised?
Accounts may become compromised
- if you’ve authorized your username and password to a malicious third-party application or website,
- if your Twitter account is weak due to an invalid password,
- if viruses or malware on your computer are managing passwords, or
- if you’re on a compromised network.
Unanticipated updates don’t always imply that your account was hacked. Periodically, a third-party application can have a bug that renders unexpected behavior. If you see abnormal behavior, changing your password and/or withdrawing connections will prevent it, as the application will no longer have credentials to your account.
It’s best to take action as soon as possible if updates appear in your account that you did not post or approve.