[BreachExchange] Twitter admits data breach, asks India users to change password

Destry Winant destry at riskbasedsecurity.com
Tue Dec 24 10:04:02 EST 2019

Vulnerability could allow a bad actor to see non-public account info
or to control your account on Android

NEW DELHI Twitter on Saturday admitted a malicious code was inserted
into its app by a bad actor that may have compromised some users’
information worldwide, including in India, as people woke up to an
email from Twitter, warning them to update the app for Android.

The vulnerability within Twitter for Android could allow the bad actor
to see non-public account information or to control your account (send
tweets or direct Messages), said Twitter.

“Prior to the fix, through a complicated process involving the
insertion of malicious code into restricted storage areas of the
Twitter app, it may have been possible for a bad actor to access
information (direct messages, protected tweets, location information)
from the app,” Twitter said in a statement.

“Out of an abundance of caution, we ask that you consider changing
your password on all services where you’ve used this password,” said
Parag Agrawal, Chief Technology Officer at Twitter.

The company said it does not have direct evidence that malicious code
was inserted into the app or that this vulnerability was exploited,
but it can't be completely sure. Twitter did not divulge the number of
users affected too.

“We have taken steps to fix this issue and are directly notifying
people who could have been exposed to this vulnerability either
through the Twitter app or by email with specific instructions to keep
them safe".

Twitter recommended updating to the latest version for Android as the
issue did not impact “Twitter for iOS”.

“We're sorry this happened and will continue working to keep your
information secure on Twitter,” said the company in the email sent to
the Indian users, adding that those affected can also reach out to
Twitter's Office of Data Protection, requesting information regarding
their account security.

The new data breach in Twitter was reported two days after several
Indian users saw warning pop-ups from Google on their mobile and
desktop screens as they opened certain affected websites in the Google
Chrome browser, alerting them about a data breach on the site or app
they had visited which also exposed their passwords.

The internet giant issued warning of data breach for users in India
and globally after fixing the Chrome 79 bug and re-issuing it for the

Twitter has faced several vulnerabilities on its platform in the
recent past. In May, Twitter disclosed a bug that shared some iOS
users' data with an unnamed partner, even if the users did not opt to
share data.

In February, a bug in Twitter exposed private tweets of some Android
users for over five years when they made changes in their settings,
like changing the email address linked to their accounts.

More information about the BreachExchange mailing list