Share this article on:
Twitter has been accused of covering up a major data breach that affected millions of users.
The social media giant reportedly buried a major breach that affected users in the US and EU “no earlier than 2021”, according to cyber security expert and founder of Habitu8, Chad Loder.
Loder has said that the hack, which has “not been reported before”, affects Twitter accounts with the “Let others find you by phone number” discoverability setting enabled. He has also said that “all accounts for the entire country code of France” listed with their full phone numbers have been affected.
Loder has also said that he has confirmed that the data in the alleged breach is indeed accurate, after he spoke with several of those affected, verifying the data.
This comes as data from an earlier reported hack from July affecting 5.4 million users has been posted for free on a hacker forum. It was originally for sale back in August.
Twitter reported a major hack from the 27th of July this year, which saw data containing email addresses and phone numbers from a range of accounts including celebrities and “randoms” stolen. The hacker, under the alias “Devil”, posted that they were selling the data of over 5.4 million users on a hacking forum called Breach Forum.
Breach Forum’s owner confirmed the legitimacy of the hack based on the vulnerability.
“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings,” according to a report on the vulnerability posted to HackerOne by a member called zhirinovskiy.
“The bug exists due to the process of authorisation used in the Android client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
Zhirinovskiy was paid US$5,040 by Twitter to patch the issue in January, and soon confirmed it had been fixed.
However, Twitter was breached on 27 July, and confirmed it later on 5 August. The social media giant said it would notify any users it could confirm had been affected. Twitter confirmed that it was due to the vulnerability that it had reported and patched back in January.
Loder has stated that this is a different hack to the unreported one that he believes occurred earlier unless Twitter is lying about the July hack. He says that the data is in a “completely different format” with “different affected accounts”. However, he does believe that hackers have capitalised on the same vulnerability.
Since accusing Twitter of the unreported hack, Loder has had his Twitter account suspended, with the platform saying that Loder had breached its rules.