Twitter Hack (Aug 5, 2022)

Looks like Twitter has been hacked [slashgear]. The exploit appears to be a classic enumeration, performed here during the login process. An attacker can use this to find out phones, emails, and IDs of users, and also link the three together. The vulnerability has been around since at least January 2022, and at least 5.4 million accounts have been exposed.

The company is now making the following recommendation:

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

This is fairly dishonest PR. As if the average computer user were juggling several burner phones. The company creates the problem by requiring a phone number, screws up, and then with a straight face and a complete disregard for people’s privacy and security, washes it off with a recommendation that very subtly explains how to circumvent its own artificial restrictions.

And if you have tried to create a pseudonymous account on Twitter, it’s not easy. At some point, the website worked through Tor and allowed you to create an account without much fuss. But after about 10 minutes of use, it would bully you into identification by blocking the site and prompting you for a phone number. And no, temporary numbers off the Internet would not work, the company went to great lengths to block those. So you would really have to go out of your way to purchase a burner phone to create that account. Is this what the company now recommends to protect people from its shitty service?

Internet of Shit commentary