Twitter confirms hacking of millions of accounts: change your password and these security settings

Twitter has confirmed an attack revealing the identity and data of more than 5 million accounts.

Those who protect their privacy behind a pseudonym account on this social network should review the configuration and security settings of their profiles. Twitter has confirmed an attack made public a month ago in which 5.4 million accounts were made public along with their phone numbers and personal emails.

The company is attempting to notify all affected accounts of the problem, but advises taking action as soon as possible, tightening profile security and unlinking accounts from data such as email or phone numbers for added security. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can present.”

The hack occurred in January. Twitter then disclosed a vulnerability found in early 2022, thanks to its bug bounty program, and a fix was completed on Jan. 13. In that time, however, hackers exploited the weakness in the system to access data.

The breach allowed an unauthenticated person with sufficient knowledge to provide a phone number or email address for Twitter’s systems to offer the account associated with that data, even if the account owner had prohibited that action in privacy settings.

“At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability,” Twitter explains. However, in mid-July, the company learns that a database of 5.4 million accounts born from this vulnerability is being sold on the Internet for $30,000. “After reviewing a sample of the data available for sale, we confirmed that a bad actor had taken advantage of the problem before it was fixed,” the company now states.

The sale of such information may be for “advertising purposes or the purpose of identifying celebrities in malicious activity.” Suspended accounts can also be found, opening up the scope of the leak even further. This data, it should not be forgotten, is often used in new phishing and identity theft campaigns.

Having already repaired the breach, in the face of the disclosure of the stolen data, Twitter is trying to notify the affected parties directly of the problem. However, they are unable to confirm all the accounts whose data is in the leaked database, so they are issuing this statement to warn users and advise them to strengthen the security of their profiles.

How to protect your account

The problem mainly affects accounts that use a pseudonym as a name, because through that phone or mail would have been exposed their identity and new avenues from which to receive harassment or cyber attacks. “We recommend that you do not add a publicly known phone number or email address to your Twitter account.”

Although the company indicates that no passwords would have been revealed in this hack, they advise strengthening the steps to log in by enabling two-factor authentication. Changing the password after an attack like this is always advisable, but especially companies now place more emphasis on the use of two-factor authentication systems to further shield access.

Such double authentication can be done through a text message, a dedicated app or a security key. Twitter also warns when logging into a new device to ensure that no one is accessing it without the owner’s permission.


Please enter your comment!
Please enter your name here