Social media platform Twitter has sent out emails to users who are affected by a security vulnerability. Apparently, the issue was discovered in January this year and it was reported that phone numbers and email addresses belonging to 5.4 million accounts have been stolen and put on sale. Besides the sale of data, the security vulnerability also potentially exposes the identity of pseudonymous Twitter accounts through their registered phone number and email.
Twitter posted on their blog that a report about the vulnerability was first received in January 2022 through its bug bounty program. Because of this security vulnerability, if someone submitted an email address or phone number, Twitter would have told the person what Twitter account the submitted email and phone number was associated with. Twitter clarified that this security bug was a result of an update to their code back in June 2021.
In late July, an online forum posted a database belonging to 5.4 million Twitter users for sale for not “lower than USD 30,000” (about RM133,215). After checking through the sample data on the forum, Twitter admitted that a bad actor had taken advantage of the issue before it was addressed.
Twitter’s biggest concern at the moment appears to be focused on owners of pseudonymous Twitter accounts who don’t want to reveal their identity. The platform said it understand the risks from the incident and they deeply regret that this happened. Interestingly, they recommend users who want to keep their identity as veiled as possible to not use a publicly known phone number or email address for their Twitter account. Since someone has already obtained a copy of the database, it is too late for those who have previously used their personal phone number or known email addresses.
Twitter assures that no passwords were exposed by this data breach but they still recommend users to enable 2-factor authentication using authenticated apps or hardware keys to prevent unauthorised logins.
Data breaches are becoming a regular occurrence these days, especially in Malaysia. If you’ve been receiving random calls and spam SMS, it is safe to assume that your personal details including your full name, email and phone numbers have been leaked and widely circulated.
A few months ago, personal data and eKYC photos belonging to Malaysians allegedly obtained from the National Registration Department and Election Commission were put on sale online. There was even a website that sells personal data of Malaysians from as low as USD 1.50 (about RM6.66) per person.
Home Affairs Minister Datuk Seri Hamzah Zainuddin has denied that the data breaches came from the National Registration Department directly but unfortunately, there are no updates on the source of the data breach or efforts to nab the perpetrators responsible. Meanwhile, Defence Minister Datuk Seri Hishammuddin Hussien had said that the issues stemming from the recent data leak will not jeopardise national security.
Yesterday, payment gateway platform iPay88 issued a statement acknowledging a data leak that occurred in May. However, it didn’t reveal what type of data was leaked and how many customers and merchants were affected.
[ SOURCE, IMAGE SOURCE ]
