2021 Twitter Breach Springs Back to Threaten Users in 2022

A major data leak that hit Twitter recently stemmed from a breach in 2021, the company said. In the incident, a criminal exploited a zero-day vulnerability on the social media platform and stole the data of millions of user accounts.

“If someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the social media platform said in a security advisory.

After learning of the flaw, Twitter investigated and patched it but found “no evidence to suggest someone had taken advantage of the vulnerability.”

However, by the time of the patch, the flaw had already been exploited, leading to the exposure of millions of user profiles.

Earlier this year, the alleged attack author offered the stolen data for sale on a notorious hacking forum. The seller claimed the ill-begotten database contained sensitive data such as email addresses and phone numbers originating from regular users as well as celebrity and company accounts. The seller also included a sample of the stolen data as a CSV file to validate the claims.

“In November 2022, some press reports published that Twitter users' data had been allegedly leaked online,” reads the company’s announcement. “As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases.”

Twitter states that no passwords were exposed during the incident but encourages users to enable two-factor authentication or hardware security keys to prevent unauthorized logins. The company also warns that the leaked data could be used in “very effective phishing campaigns,” and urged users to remain extra vigilant.