The tech-giant announced today that it has fixed the Twitter bug that exposed some users’ email addresses and phone numbers. Twitter said that this bug affected the password recovery systems which exposed users’ information for about 24 hours last week. Although this bug affected less than 10,000 accounts, but the bug could have potentially exposed information linked to those accounts.
Twitter declared the news through a blog post, clarifying that no passwords that can directly access the accounts were exposed. The company also mentioned that all the affected accounts were notified about the Twitter bug, so if you were not notified, your account was not affected.
The Twitter bug has allowed hackers to steal the Twitter accounts from their real owners and tweet on their behalf. Many handles including @god, @emoji, @just, @point, @insert, @ bass as well as two chars handles like @30 were hacked.
What exactly happened with the password recovery system? As stated by various Twitter accounts, an error occurred when users tried to reset their password, as Twitter displayed users full email address that was linked to the account. (Usually, the email address is partially asterisked out.)
Once the Twitter handle and the associated email address are known to the hacker, he may get access to the corresponding account. In case the email address is not active, a hacker could simply re-register it and then reset the password to gain access to the account. And if the email address is active, they can hack it maybe via social engineering i.e. tricking people to reveal their email passwords.
Why are these accounts getting hacked? “Cool” Twitter handles that are short or interesting may be a status symbol for some of the hacker-y people. Many are even ready to pay money to gain such handles, also, a small underground market sells “OG” handles after jacking them.
After Twitter declared that the bug is fixed, Michael Coates, Twitter’s trust and info security officer stated that “We take these incidents very seriously, and we’re sorry this occurred. If we find any user that has exploited the bug in order to access another account will be permanently suspended, also we will be engaging law enforcement as appropriate so they may conduct a systematic investigation and bring charges as warranted.”
The company also reminded the users to maintain good account security hygiene by adding additional information that might be required before resetting the password, using a strong password (and get rid of “Password123” and “Pizza”), to implement login verification, and do not allow third-party apps to access privileges for those not familiar.