Millions of Twitter users hacked in ‘colossal’ security breach

Twitter says it ‘deeply regrets’ private data leak

Anthony Cuthbertson
Monday 28 November 2022 08:07 EST
Comments
Hackers have gained access to private information of millions of Twitter users after discovering a vulnerability
Hackers have gained access to private information of millions of Twitter users after discovering a vulnerability (The Associated Press)

Millions of Twitter accounts have been compromised after a security bug was exploited by hackers.

User records of over 5.4 million people were stolen through a vulnerability known as an API (application programming interface) attack, which exposed private phone numbers and email addresses.

Twitter patched the issue after it was made public through a bug bounty programme in December 202, however hackers had already taken advantage of it and began selling the stolen data in July 2022.

A report from BleepingComputer revealed the full extent of the security breach over the weekend, with Twitter confirming that the API bug was only fixed in January 2022.

Twitter said that it “deeply regretted” allowing the incident to happen in an advisory about the privacy breach, adding that it would directly notify any users impacted.

Security experts warned the full extent of how hackers may exploit the data is not yet clear.

“This is a potentially colossal breach that could affect millions of people,” said Jamie Akhtar, CEO of software firm CyberSmart. “As the information is out there, you can be sure that cyber criminals will try to leverage it.”

Other security experts warned Twitter users to be vigilant towards any suspicious emails or text messages purporting to be from Twitter in the coming weeks.

Cyber criminals with access to the non-public Twitter data could use it to carry out phishing attacks whereby people are tricked into clicking on links in emails or messages that divert them to pages designed to steal further credentials or even money.

“Although data scraped from a website may not seem like a normal data breach, threat actors can do a lot of damage when they couple it together with private data such as phone numbers and email addresses,” said Jake Moore, a cyber security advisor at malware protection firm ESET.

“Suddenly, the information collected can become far more significant as cyber criminals are then able to attempt a variety of phishing attacks on accounts and gain further illicit access to multiple accounts. [These types of] vulnerabilities can cause significant damage but they are usually patched quickly as was the case with this one, however nefarious actors unfortunately abused this exploit whilst available.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in