The most recent Twitter breach occurred in July 2020 when hackers targeted high-profile accounts as part of a Bitcoin scam. While that incident was relatively small-scale – targeting just 130 accounts and only gaining access to dozens – it did result in more than $100,000 worth of transfers.
As far as we know, there have been no known Twitter data breaches since July 2020. Below, you’ll find a full timeline of known breaches and secruity incidents involving Twitter.
July 2020: Hacker Takes Over High-Profile Accounts in Bitcoin Scam
While small in scale, one of the most widely covered Twitter security breaches occurred in July 2020. It involved a hacker that targeted the accounts of approximately 130 high-profile individuals, including Elon Musk, Bill Gates, Barack Obama, and Kanye West.
Once the hacker obtained access to a target account, they posted scam messages involving Bitcoin, claiming the account holder was “giving back” to their community by doubling all Bitcoin sent to their address and sending those funds back to the sender.
The attackers accessed the accounts by using Twitter internal administration tools to bypass some security measures, indicating that the hacker was using Twitter’s own system. The hackers were able to obtain over $100,000 in transfers as a result of this incident.
It’s believed that social engineering attacks were used to gain access to Twitter’s back end, not a technical vulnerability. It isn’t clear whether anything else was impacted. However, the attacker would have had access to other account information, including the content of DMs and other private account data.
November 2019: Data from Hundreds of Twitter Accounts Exposed
While the incident was small-scale, hundreds of Twitter users learned in November 2019 that some of their personal data was exposed. The One Audience development kit allowed developers to access usernames and email addresses. If a Twitter user used their Twitter account to log into an impacted app, the developer could see a limited amount of personal information, as well as some recent tweets.
The incident was very limited, impacting only a few hundred individuals with Android devices. Both Twitter and Facebook accounts were affected.
After learning of the issue, Twitter notified the affected users. Additionally, Google was alerted to the incident, allowing the company to take action if necessary.
November 2019: Two Former Employees Charged with Spying
In November 2019, two former Twitter employees were charged with spying for Saudi Arabia. They were accused of exploring and gathering personal information on specific users at the behest of the foreign nation, focusing on accounts that were critical of the Saudi Arabian government. However, other account data was potentially exposed as the spies compiled some data in bulk.
Twitter stated that it limited access to sensitive information among its staff. However, these two employees succeeded in accessing private account details, despite lacking the official authorization to do so.
October 2019: Twitter Uses Data Provided for Two-Factor Authentication for Ad Targeting
In October 2019, a privacy issue involving phone numbers and other data provided to Twitter for two-factor authentication came to light. The company said it mistakenly incorporated phone numbers and email addresses provided for two-factor authentication into its ad systems, namely its Tailored Audiences and Partner Audiences.
While the personal information was directly provided to marketers, it was used for ad targeting purposes. Essentially, the contact details were factored into a larger equation to determine if a user was part of a marketer’s target audience without the user’s consent.
Twitter handled the cause of the data leak in September 2019, though it didn’t make the incident public until approximately three weeks later. The exact scope of the incident wasn’t clear. Additionally, it isn’t fully known how long the issue occurred.
December 2018: Twitter Security Flaw Leaks User Phone Number Country Codes
In December 2018, reports emerged describing a security flaw that exposed the phone number country codes of Twitter users. This potentially allowed malicious actors to determine the countries accounts were based in, something that could have ramifications for political dissidents, protestors, whistleblowers, activists, and other users who may be targeted for retaliation or silencing.
The issue stemmed from a support form, potentially giving others the ability to find out the country code associated with an individual account. It isn’t clear how many times the security flaw was used to gain information on other users.
While the issue wasn’t announced publicly until December 2018, reports indicate a security researcher informed Twitter about the problem two years prior by filing a bug report. However, that report was closed without action after Twitter deemed it wasn’t a “significant security risk.”
May 2018: Bug Leaves 330 Million Passwords Exposed
In May 2018, Twitter advised every user to change their password after the company discovered a bug that left passwords exposed in an internal system. While there was no evidence of a breach or misuse, the passwords were unencrypted in an internal log, making them readable to anyone who accessed that system.
Since the glitch potentially impacted every user, the company recommended that everyone with a Twitter account change their password as a precaution. The company also rectified the issue and took additional steps to avoid the bug in the future.
February 2013: Hack Leaves 250,000 Accounts Compromised
In February 2013, Twitter announced a security incident that potentially impacted around 250,000 users. The company said that attackers were able to gain access to account information, specifically user names and email addresses.
Twitter became aware of an issue after it detected signs of an attack about a week prior to the announcement. That activity led to a braoder investigation which made the company aware of the larger breach, namely, unauthorized access attempts.
While Twitter was able to stop one attack in progress, the investigation revealed that other accounts might have been compromised, with a limited amount of user data becoming available to the attackers. In response, Twitter revoked session tokens and forced password resets, ensuring impacted users would update their passwords before accessing the site moving forward.
Twitter wasn’t highly specific regarding what allowed the attack to occur, only quickly referencing a Java vulnerability. At the time of the incident, it wasn’t clear who was behind the hack.
April 2009: Hacker Breaches Twitter Administrator Account
In April 2009, a hacker guessed a Twitter administrative password after gaining access to an employee’s personal email account and finding two other passwords stored there in plain text. Once inside the system, the hacker changed at least one Twitter account password. Additionally, while it isn’t clear whether any information was gathered, the attacker would have had access to nonpublic information on essentially any account.
January 2009: Hacker Hijacks 33 High-Profile User Accounts
In January 2009, a hacker used an automated password-guessing tool to access the Twitter administrative control panel. The password used was considered a weak password, being an all-lower-case word you can find in the dictionary.
Since Twitter allowed an unlimited number of password attempts and didn’t flag a high number of attempts happening in quick succession, the hacker gained entry. Once inside, the hacker would change the passwords associated with various accounts, allowing others to gain access. In total, 33 accounts were compromised, and many were used to post messages that weren’t written by the account holder.
This incident – along with the one in April 2009 – led charges from the FTC. Twitter ultimately settled.