‘A bad actor took advantage…’: Twitter on reports of users' data sold online
Twitter has said that it will be directly notifying the account users it confirms were affected by the bug. The social media platform has also recommended the users to refrain from adding a publicly known phone number or email address to their Twitter accounts.
Microblogging platform Twitter has said it has fixed the bug which exposed the account details of users to a ‘bad actor’, this days after reports emerged that the personal information of 54 lakh Twitter users was being sold by a hacker.
In a statement released on Friday, Twitter said it wanted the users to know about a ‘vulnerability’ that allowed someone to enter a phone number or an email address into the log-in flow in a bid to know whom it belonged to .
The microblogging platform said it received a report through its bug bounty program about vulnerability of the system in January this year.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the Twitter statement read.
The social media platform stated that the bug was caused due to an update to the code in June last year.
“When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter said.
On coming to know about reports of Twitter account-related data being sold, the organisation said it reviewed a sample of the available data which was put on sale.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
Twitter has said that it will be directly notifying the account users it confirms were affected by the bug.
The social media platform has also recommended the users to refrain from adding a publicly known phone number or email address to their Twitter accounts.
This comes months after Twitter was asked to pay $150 million penalty and introduce new safeguards to settle federal regulators' allegations that it failed to protect the privacy of users' data, AP had reported.
The regulators alleged that the microblogging platform violated a 2011 Federal Trade Commission order by deceiving users about how well it maintained and protected the privacy and security of their non-public contact information.