Email
Password
Remember meForgot password?
    Log in with Twitter

article imageTwitter bug may have shown email addresses of thousands of users

By James Walker     Feb 18, 2016 in Internet
Twitter has patched a "password recovery bug" on its main website that may have revealed the account details of almost 10,000 users. The security issue let outsiders see email addresses and phone numbers associated with the affected accounts.
The bug affected Twitter's password recovery systems for around 24 hours last week, the company said today. It "had the potential" to reveal the email address and phone numbers of "less than 10,000" active accounts but did not directly reveal the user's password.
Twitter has already contacted the affected users and will be providing advice on what to do next. Twitter is confident the issue has since been patched and that no further accounts have been affected.
The company said: "We recently learned about — and immediately fixed — a bug that affected our password recovery systems for about 24 hours last week. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected."
The information on display isn't enough to login to a Twitter account but is easily sufficient for an attacker to start a phishing or scam campaign. Active email addresses and phone numbers are valuable pieces of personal data that should only be distributed to trusted friends, family, co-workers and businesses.
Twitter has contacted the relevant law enforcement bodies. A full investigation will be conducted into the day-long vulnerability to ensure it does not happen again. Twitter said it will be taking harsh action against any users who have exploited the bug, warning they will be handed permanent account suspensions.
The company said today: "We take these incidents very seriously, and we're sorry this occurred. Any user that we find to have exploited the bug to access another account's information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted."
Twitter has provided suggestions to users on how to maintain "good account security hygiene." This consists of the usual round of security tips, advising people to use a strong password with a mixture of different character types and enable two-factor authentication where possible. This prevents an attacker accessing an account by requiring a unique code, sent via SMS, to be entered at login.
This security incident may be comparatively minor, based on the number of users thought to be involved, but it doesn’t mean people who aren't affected should pass it off as an irrelevance. Twitter users can review their security settings and recent account logins in the "Security and privacy" section of the website's Settings menu.
More about Twitter, Social network, Social media, Password, Bug