Micro-blogging site Twitter was hit by a massive data breach that allowed an attacker to access sensitive information of about 5.4 million Twitter users. The company has confirmed a zero-day attack that occurred in December last year. However, the data breach was reported only in July, and Twitter has now said that it has fixed the vulnerability.
It should be noted that even as Twitter has acknowledged the data leak, the sensitive data of a whopping 5.4 million Twitter users still remains exposed in the hands of a malicious hacker. The data of Twitter users that was obtained by the attacker included information such as URL, profile picture, location and other data.
According to a report by Bleeping Computer, the malicious attacker used a security flaw that allowed anyone to query a phone number or email to check an active Twitter account and obtain the information on Twitter accounts. The micro-blogging site came to know about the data breach through a press report last month, which found a listing on a cybercrime forum claiming to have user data and offering to sell the information compiled.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened. While there’s no action for you to take specific to this issue, we want to share more about what happened, the steps we’ve taken, and some best practices for keeping your account secure,” Twitter said in a statement.
The micro-blogging company has started alerting affected Twitter users who were impacted by the data leak. "We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors," Twitter added.