Twitter confirmed earlier this year that the private data of 5.4 million users had been stolen by exploiting a bug in the platform, but the company claimed there was no evidence that it had been maliciously exploited. Meanwhile, evidence has emerged on a hacking forum appearing to show that at least 1.4 million Twitter profiles may have been compromised. Even more interestingly, the latter would be accounts suspended, either at the request of the owners or even by Twitter administrators, in response to various violations of the microblogging platform’s policies.
The even worse news for Elon Musk’s company is that the good owner of that forum claims that the security breach is actually much larger, with the hacker named “Devil” offering evidence for the existence of a database of tens of millions of users’ information. Apparently, the attack initiated at a slightly more recent date would have taken advantage of another Twitter vulnerability.
According to security expert Chad Loder, the same vulnerability would have been exploited by others to collect sensitive data such as phone numbers, email addresses and other public information about those users. While that data could be used in phishing attacks and other scams targeting Twitter users, even more worrying is the possibility of finding out the real identity of those individuals. For example, the safety of users using Twitter for political activism could be directly threatened by agents of their home governments.
In response to the possible security breach, users are encouraged to enable the two-step authentication feature for their Twitter account, with the additional code generated in apps like Google Authenticator being enough to block possible account hijacking.