Twitter data privacy incident (August 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]Twitter has just confirmed a privacy incident stemming from a vulnerability reported in January 2022. In July 2022, it became known that someone had used this vulnerability to siphon personal data from Twitter users. Here's some information about that incident.


Catalin Cimpanu points out the Twitter data privacy incident in the following tweet which the company discloses here.

Twitter data protection incident

A vulnerability allowed third parties to enter a phone number or email address in a log flow to find out if this information was linked to an existing Twitter account. If true, the account could also be determined. This bug was caused by an update to Twitter's code in June 2021.

In January 2022, Twitter received a report of this vulnerability through the Bug Bounty program. If someone submitted an email address or phone number to Twitter, it disclosed which Twitter account the submitted email addresses or phone numbers were associated with. When the Twitter people learned of the bug, it was immediately investigated and fixed. At that point, there was no evidence that anyone had exploited the vulnerability.

In July 2022, the Twitter folks learned through a press report that someone may have exploited the vulnerability and offered to sell the information they had collected. A sample of the data for sale confirmed that a bad actor had exploited the issue before the fix.

Twitter plans to notify affected account holders directly. However, it is unclear whether all potentially affected accounts can be identified and their owners notified. Twitter wants to pay particular attention to people with pseudonymous accounts, who could be targeted by government or other actors. The recommendation is not to add a publicly known phone number or email address to the Twitter account.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *