Twitter accounts exposed in major security snafu

The Twitter logo spray painted onto ripped paper surrounded by white, blue and black noise
Twitter's new Verification feature could be messier than we realized (Image credit: Twitter)

A flaw in Twitter’s code allowed threat actors to link accounts with the email addresses registered against them, potentially exposing the identities of their operators, the social network has confirmed.

Late last week, the company disclosed the flaw in a blog post, in which it apologized for the inconvenience and explained the problem was fixed as soon as it was discovered. 

The exploit took advantage of the way Twitter treated failed log in attempts. When someone tried to log in using an email address or a phone number, even if they typed in the wrong password, Twitter used to do two things:

  • Tell the user they’d submitted the wrong password
  • Show the Twitter handle associated with that email address or phone number (if any exist)

This meant that people running pseudonymous accounts could have had their identities exposed. 

Selling data on the dark web

The flaw was first spotted in mid-2021. At the time, Twitter said it couldn’t find any evidence of abuse. “This bug resulted from an update to our code in June 2021,” the company wrote.

A year later, Twitter learned through a press report that someone had actually compiled a list of user accounts with this method and tried to sell it. 

Twitter apologized for the inconvenience, said it fixed the issue as soon it was unveiled, and said it will directly notify account owners that were impacted by this problem. 

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company added.

The microblogging platform has been getting a lot of limelight lately, ever since eccentric billionaire Elon Musk said he intended to acquire it. The future of the deal will now be decided at the Delaware Chancery Court, after Musk attempted to bow out, ostensibly due to volume of bots operating on the platform.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.