Twitter Patches Password Recovery Flaw

Tom Jowitt,

Oops. Bug with Twitter’s password recovery system may have exposed account details of almost 10,000 users

Twitter has revealed a serious vulnerability with its password recovery system that could have exposed the account details of almost 10,000 active Twitter users.

The microblogging service said in a blog posting that the bug affected its password recovery systems for about 24 hours last week, but it immediately fixed it after learning of its existence.

Password Recovery

Twitter admitted the bug may have revealed the account details including email addresses and phone numbers associated with the affected accounts.

“We recently learned about – and immediately fixed – a bug that affected our password recovery systems for about 24 hours last week,” said Twitter. “The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected.”

Twitter said that whilst the information on display wasn’t enough to login to a Twitter account, it could allow an attacker to begin a phishing or scam campaign as active email addresses and phone numbers are valuable information.

Julien Tromeur - Twitter Sorry“We take these incidents very seriously, and we’re sorry this occurred,” said Twitter. And it warned of stiff penalities because if any user it discovers has “exploited the bug to access another account’s information will be permanently suspended.”

Twitter also warned that it “be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”

And the company reminded its users of “the importance of good account security hygiene,” including the use of strong passwords and login verifications.

Past Issues

Problems with Twitter has recently focused on outages, but the company has suffered security vulnerabilities in the past.

In June 2014, Twitter account holders were urged to not use the popular TweetDeck client, after users were alerted to a potentially nasty bug in the platform that could lead to “mass account compromise”.

Popup alerts had emerged in some users’ browsers, as the code that exploited the bug was retweeted across Twitter. As soon as users’ browsers read the code, an alert popped up highlighting the flaw and forcing JavaScript to run on their machines.

Earlier that same year, a security researcher uncovered another flaw that had been active for a number of months. That bug in its systems affected the privacy of more than 93,000 accounts for several months.

Are you a Twitter know-it-all? Take our quiz to find out!