Twitter Exposes Personal Information for 5.4 Million Accounts

Twitter accidentally exposed the personal information—including phone numbers and email addresses—for 5.4 million accounts. And someone was trying to sell this information.

In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.

In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

This includes anonymous accounts.

This comment has it right:

So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.

But it gets worse… After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.

It was only when the press started to notice they finally disclosed the leak.

That isn’t just one bug causing a security leak—it’s a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.

Twitter’s blog post unhelpfully goes on to say:

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Three news articles.

Tags: ,

Posted on August 12, 2022 at 9:13 AM37 Comments

Comments

Mike August 12, 2022 9:26 AM

How do they always get away with “we had no evidence…”?

That’s not evidence to the contrary.

Jon August 12, 2022 10:00 AM

Or, alternately, just make up some phone number. Wonder if they accept 555 exchange numbers? J.

Winter August 12, 2022 10:02 AM

To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Translated: Never ever trust us. Anything you “entrust” to Twitter will be shared with your enemies and everyone who thinks he can make a profit of you.

As Benjamin Franklin already wrote:
Three can keep a secret, if two of them are dead.

If there are also European users invloved, I would like to see how that will go down European courts?

Terry Karney August 12, 2022 12:54 PM

You can give them a fake number, but then the 2FA doesn’t work, and you can lose access to your account.

Frank B. August 12, 2022 2:39 PM

Anyone who uses any form of anti-social media deserves everything that comes their way. Including the end of democracy.

When you choose to be the product you’ll eventually end up in the garbage bin with the other trash once your usefulness has run it’s course.

Security Sam August 12, 2022 4:27 PM

Our digital landscape has ultimately become
An insecure, unbalanced and unstable domain
With the cottage industry struggling to overcome
By selling digital snake oil to mitigate the pain.

BCS August 12, 2022 10:53 PM

Anyone know how long it would have taken to war-dial a significant fraction of the phone numbers in any given political region?

Who cares about “publicly known” phone numbers if someone could just scrape all of them.

David August 13, 2022 6:12 AM

This is about putting real names to accounts. In many countries you have to produce your identity card to register a phone account

Q August 13, 2022 7:17 AM

So “for security” you are compelled to hand over a phone number. But it is really just a lazy method of limiting spam/robot/troll accounts only to people that have lots of spare phone numbers to burn.

So they have to keep the phone numbers in their records in order to prevent the same number being used multiple times. That part is obvious. But the desire to keep it paired with the account handle is where we can see the nefarious alternative motives at play.

There has to be a better way. Oh, I know, don’t use any of these exploitative manipulative addictive secretive anti-social services. The more people keep supporting them the more they will be emboldened to keep ratcheting it up as much as they can.

Clive Robinson August 13, 2022 7:42 AM

@ David, ALL,

Re : Real identity not.

Your comment,

“In many countries you have to produce your identity card to register a phone account”

Does not make an important point…

Most criminals know that in places like the UK you can walk into a “supermarket” and take a SIM off of a display unit, walk over to a till and pay cash for it, and get upto $20 equivalent of calls.

Also because of UK regulations such SIMs get “International roaming” included. So will work in those countries that demand ID be given to get a SIM.

Also the criminals know that they can keep “topping-up” the SIM by paying cash at little corner shops and the like, that also charge up “utility keys”, “bus passes” and all sorts of other services that are easy to tie a “False ID” to, thus start a chain towards identity theft.

Fun fact smarter people especially criminals know…

With roaming you can stand in one country, yet get phone service from another something that puzzles some holidaymakers when they get back (but drugs smugglars are well aware of). Sometimes the two adjacent countries are effectively having a “cold war” thus zero cross boarder police cooperation… Oh and as “day boat sailors” increasingly know, many mobile service providers are providing quite deep coastal waters coverage, as it can be quite profitable.

Further fun fact, if a mobile phone is “off” most mobile service providers have “voice mail” where you can dial in from another phone to get your messages (this includes coming in over anonymous VoIP) and getting SMS messages forwarded is not dificult either, including forwarding to a “pager”.

Thus this “war on mobile phones” is actually NOT against criminals as is often claimed but ordinary citizens for the purposes of,

1, Political “chilling” or “control” of citizens.
2, Corporate Profit by making the citizens product.

Or of course both, corporates only care for the colour of the money not the politics of the hand passing it over by the truck load.

David Smith August 13, 2022 12:21 PM

I opened a Twitter account, about a year ago; no phone number, just on an email address.

I did not use the account AT ALL – logged in one or two, to set it up, but posted no tweets and read no tweets.

After about three weeks, the account was suspended, on the basis it had “violated Twitter’s T&C” and I need to provide a swathe of personal information to continue using the account, including of course my phone number.

Companies love phone numbers. They are the next best thing to an SSN; they don’t change very much, and the identify an individual uniquely.

I explained to Twitter the account had not been used and I do not in fact keep a phone number, so I had no number to give them; the account was re-instated.

I may be wrong, but my suspicion is that ALL accounts without phone numbers are suspended, as a ruse by which to force people to hand over their personally identifying information.

(As an aside, I had exactly the same experience with an AWS account, at about the same time. Completely new account, not used, suspended about three weeks later. AWS completely messed up dealing with that though; I had multiple emails, each claiming different periods of time in which I had to hand over a metric ton of personal information, and in end, in fact, the account was shut down with a single day of notice.)

SpaceLifeForm August 13, 2022 2:48 PM

@ David Smith, Clive, ALL

Re: Never used account

Your test is exactly what I concluded would happen years ago. This is why they want to get your PII and cross-correlate to other sources, because that is money.

They will sell your PII to data brokers. Later, you will get spam thru other channels. And continue to build up a profile on you.

If a site wants a phone number, be suspicious. Even if the site only wants an email address, also be suspicious, because with other traffic that one may not be thinking about, such as checking email on a phone, you may be providing the metadata to correlate.

Always avoid providing an email address or phone number. See Rewards Programs. Your PII is worth more than any future discount you may get.

Note how Twiiter spun this.

There is no reason to believe that it was just ‘some’ and ‘anonymous’. Their API leaks.

https://www.schneier.com/blog/archives/2022/08/friday-squid-blogging-new-squid-species.html/#comment-408619

And you may get phished for fun and profit.

https://www.schneier.com/blog/archives/2022/08/a-taxonomy-of-access-control.html/#comment-408810

will security for food - anything helps August 13, 2022 3:58 PM

Free advice:

Don’t bother calling this a “bug” or a “security hole” or even “security”, it’s better “classified” as malevolence, criminal, nasty, hostile, invasive, exploitative.

To talk about this as if it’s a security “flaw” or “mistake” is really not what people ought to be doing. The collective nuance is that these problems were intentional, designed to cause problems, intended and designed to benefit the hostile innovators.

Recognizing this cultural issue, (not so much just a technical issue), is security-related.

Clive Robinson August 13, 2022 5:50 PM

@ will security…, ALL,

“Don’t bother calling this a “bug” or a “security hole” or even “security”, it’s better “classified” as malevolence, criminal, nasty, hostile, invasive, exploitative.”

But why not call it what it realy is,

“The American dream in action”

US legislation with regards “personal information” boils down to,

“If you can grab it, it’s yours to make money with.”

It’s the same mentality that wiped out much of the original continental America.

In three hundred years the continent has had it’s resources plundered faster than any other place or time before.

Sadly it’s only getting worse, with the US consuming according to some sources half the worlds resources.

Or a little over 332 million people living at an average of atleast ten times the world average…

If the US citizens want “Privacy” and “opportunity” and a working society for them and their children… Then they are going to have to wake up to the fact, that what they are taught growing up is fundementally wrong, and enslaving them to those who have very serious mental disorders.

priv August 14, 2022 8:06 AM

did u now know that one can no longer open up basic accounts at google or microsoft w/ a “non major us telecom carrier phone number” … meaning even at the creat new account login stage, when asked for a phone number… google and microsoft will not accept any phone number not instantly verifiable as on the major telecoms.

i deduce that with “how could google know if they didnt have some pre logged records to cross reference?”

which if the info swap behind the scenes is of that magnitude… just think about ur bank, trading account, work, mom’s obituary, etc?

SpaceLifeForm August 14, 2022 3:39 PM

@ -, Clive, Moderator

As I recently encountered the BHMT Demon posting a comment to this article, and I still have the original text, I am going to do some testing. Bear with me. I am going to put each paragraph up as separate comment, and see what happens.

This was in response to the comment by priv.

SpaceLifeForm August 14, 2022 3:45 PM

There is no logging required. Valid phone numbers are known. You can look it up. This is how they can flag an obviously fake phone number immediately.

SpaceLifeForm August 14, 2022 3:49 PM

So, by requiring SMS 2FA on an acccount, you just gave them more information to correlate. It is for their security, not just yours. But once you use the email or phone number elsewhere, say site X, even with a nym, it can be correlated if site X ‘leaks’, ‘provides’, or says ‘we was hacked’.

SpaceLifeForm August 14, 2022 3:57 PM

Note that this site is not site X. You do not need to provide an email or phone number here.

SpaceLifeForm August 14, 2022 4:11 PM

In the olden daze, there was a paper Criss-Cross directory, which was in the reference section of the library, and you had to provide ID to read it. You can find out the name and phone number from a street address.

SpaceLifeForm August 14, 2022 4:21 PM

I recommend a google search on that term if you are not familiar with it. It will definitely wake you up as to the utility of data correlation.

SpaceLifeForm August 14, 2022 4:56 PM

@ -, Clive, Moderator

And the test results are in.

It was a single line with a URL prefixed with a single quote to stop the automagic link creation as I have been doing.

It would have been between

https://www.schneier.com/blog/archives/2022/08/twitter-exposes-personal-information-for-5-4-million-accounts.html/#comment-408896

and

https://www.schneier.com/blog/archives/2022/08/twitter-exposes-personal-information-for-5-4-million-accounts.html/#comment-408900

Note that the comment_id jumped because others posted a comment to a different article.

Anyway, it was held immediately.

There is a deep parsing filter looking for URLs, but it has issues.

There is no reason to filter on this.

Here is a heavily obfuscated URL that tripped the filter. You will have to clean it up. Or you could just google the correct keywords and find it. It is not a pr0n site.

hxyyzy ps [colon] [slash] [slash] national na n pa [dot] com [slash] area [underscore] codes [slash]

This is braindead stupid. If others figure out the correct URL, and try to use it in a comment, it will likely be held.

SpaceLifeForm August 14, 2022 5:15 PM

@ -, Clive, Moderator

I am going to try one more test since I have my original comment still there in another tab.

I am going to flip one single bit.

JonKnowsNothing August 14, 2022 5:23 PM

@SpaceLifeForm

re: URL prefixed with a single quote to stop the automagic link creation

fwiw: This may work for this blog but does not work if the text is in other formats.

Such as copying a section of blog text containing a “quoted link” to an external editor. Depending on the editor, the line is still recognized as a link and all the hazards of links occur.

Only significantly fractured URLs remain fractured when copied to an editor.

Fractured URLs can still be rejoined by regex where an editor might not be able to rejoin the pieces.

It depends on what the parser is selecting and the regex expression.

SpaceLifeForm August 14, 2022 6:05 PM

@ -, Clive, Moderator

BHMT 102

I tried various tests, trying to get the filter to not see a URL, but all failed.

The AI is strong, you must heavily obfuscate certain URLs that which, even though they are public, it seems that the filter wants to block the sharing of information.

So, in conclusion, if you get a Held, and your comment had a URL, go back and obfuscate it, maybe heavily, so the filter does not see it. It may still fail, but it is worth a try.

Otherwise, provide keywords to search with.

MarkH August 14, 2022 8:23 PM

@SpaceLifeForm:

Police detective: Did anyone hear his last words?

Witness: A moment before the explosion, I heard him say “I am going to flip one single bit.”

JG4 August 15, 2022 12:17 AM

Maybe a couple of weeks ago, I had a comment held. The part that surprised me is that it never got released. Pretty tepid stuff.

Main point of stopping by today is to comment on the latest news about drones. I would include the headlines and links, but apparently that is an unsolved problem. And the proximate cause for my comment getting held. Can’t recall what the content or comment was that time. What caught my eye today is that Russia is buying drones in significant quantities from Iran. Hezbollah have deployed drones. Cost of delivery of government “services” in Yemen, Brazil, Afghanistan, and Iran is relatively high because of geography. It makes sense for governments interested in these countries to invest in developing drone technology to lower the cost of delivering “services.”

The problem of drones, or more broadly, projected intent, isn’t going to be easy to solve. Not as easy as the self-driving car problem. I could broaden the problem of projected intent to include distributed intent. It’s a short step from there to swarms of drones and the horror that Hitchcock managed to distill into “The Birds.” May you live in interesting times.

As always, appreciate the high level of discourse. For every thousand hacking at the branches, there is one that striking at the root. Here the ratio is closer to one out of two.

Clive Robinson August 15, 2022 5:25 AM

@ SpaceLifeForm, -, JG4, JonKnowsNothing, MarkH, ALL,

Re : URL lych knell

“The AI is strong, you must heavily obfuscate certain URLs that which, even though they are public, it seems that the filter wants to block the sharing of information.”

Yes a couple of weeks back I had to break a posting down into parts.

And it turned out that one of three URLs I had at the bottom was causing the blog to barf.

Eventually after much trial and error I resorted to using [] around every word to get it through.

The fact that as @JG4 notes the “held for moderation” apparently do not ever surface… can be down to two potential causes

1, They are lost in space.
2, They are not being rescued.

Either way it’s the lych knell for them so it’s best to keep a copy to reanimate a post. Which is a real pain on a Mobile Phone for various reasons, as is cut-n-paste paragraph by paragraph as you have no doubt just found out with your experiment 😉

Bob Paddock August 15, 2022 9:57 AM

@SpaceLifeForm

Even simple HTML like bold and italics will set of the held-for-moderation blackhole I just discovered.

SpaceLifeForm August 15, 2022 1:17 PM

@ Clive, -, JG4, JonKnowsNothing, MarkH, ALL

re: BHMT and Lost in Space Rescue

If a comment says ‘held’, you can not tell which quantum state it is in because you can not Observe state in a reliable manner.

As I previously demonstrated, a comment_id that can not possibly exist yet, is reported as in ‘held’ state.

Any comment that the blog software can not Observe, will be reported as ‘held’.

So, whether the comment never made it to the database, or was deleted later, will still appear as ‘held’.

Unless you saw it exist, and then later disappear, others would never know what event happened.

I’m pretty certain that if you get the instant ‘held’, it never made it to the database, and therefore, no rescue is possible. It does not exist, therefore can not be rescued.

All of your bits were Lost in Space due to a Black Hole Event Horizon.

Clive Robinson August 15, 2022 2:39 PM

@ SpaceLifeForm,

Re : Lost in space

I’m a little to old to change my name to “will” even though when I was that age I was dangerously similar to the character. So as I’m creaking along I guess I’ll have to go with “Prof Dr John”, or the unimaginable “Zach”.

SpaceLifeForm August 15, 2022 2:47 PM

@ priv, Clive, -, JG4, JonKnowsNothing, MarkH, ALL

re: phone number verification

‘https://support.signal.org/hc/en-us/articles/4850133017242

Twilio, the company that provides Signal with phone number verification services, notified us that they had suffered a phishing attack.

Dot. Note: SIP is NOT Secure.

‘https://customers.twilio.com/1087/twitter/

lurker August 15, 2022 4:10 PM

@SpaceLifeForm

Why does Twitter need to open a new office? I thought bots and the intarweb could do all that for them. Which is why Mr.M saw it as a cheap cash cow …

E.R. August 15, 2022 4:24 PM

How do you even get a “pseudonymous” twitter account? When I wanted to create an account they insisted on me entering a phone number that they then sent a text message to, to confirm that it was mine.

lurker August 15, 2022 4:47 PM

@SpaceLifeForm, re: phone number verification

“We are notifying all 1,900 potentially affected users directly via SMS.”

Ouch!

JonKnowsNothing August 18, 2022 12:08 AM

@ SpaceLifeForm. @ Clive, ALL

re: BHMT and Missing in the Quantum Flow

There is one quantum state you missed, although it might be in a different domain.

This is the state where the message is approved, you find the listing in the Last+100, you verify that the message also made it to the target thread.

Anywhere from a few minutes to hours to near instantaneous, a solar coronal loop hooks the post into the quantum runoff drain. Remnants of which may still be found, within the target thread, and sometimes in 3d party repositories.

So 2 additional state checks need evaluating: manual white hole escaped and automated white hole escaped.

===

White Hole: A theoretical region of spacetime and singularity that cannot be entered from the outside, although energy-matter, light and information can escape from it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.