Twitter has confirmed that 5.4 million accounts were plundered in a recent data breach, with the hackers hauling away personal data such as physical locations, profile photos, email addresses, and phone numbers associated with those account profiles.
The hackers are already trying to make money off their theft. Bleeping Computer reports that the data the hackers tapped into is being offered for close to $30,000. Two different threat actors reportedly purchased the data for less than the original selling price, and all that information will likely be released for free in the future.
The attack came about as the result of a zero-day exploit – a maneuver in which hackers target a software vulnerability that software vendors or antivirus vendors are not aware of at launch. AndroidPolice reports that the Twitter hackers used a vulnerability that allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information.
When it comes to zero-day exploits, Twitter is not alone. Over the last few years, Google, Apple, and Microsoft have all been hit by them. After being fined $150 million for failing to protect consumer data already this year, Twitter is trying its best to get ahead of this situation. The company said it deeply regrets the situation and fully understands the risk this poses to its users.
While the social media company is powerless to fix this current situation, it does have some recommendations that users can use to protect their personal data in the future. The first thing it suggests is making sure a Twitter account does not have a publicly known phone number or email address attached to it.
Even though passwords weren’t stolen, Twitter also strongly suggests enabling two-factor authentication by using authentication apps or hardware security keys. This can help protect a user's account if someone does steal their password.
The company says it’s also offering users access to its Office of Data Protection, where they can inquire about the safety of their account or ask questions about how it protects their personal information. Anyone who is interested in gaining access to that information can contact Twitter through this form.