The FTC investigation's specific concern with the Musk era is that the company is retaining adequate resources to fund and staff the privacy practices it remains obligated to in a 2011 FTC settlement.
Twitter cites abuse of the text messaging 2FA option by bad actors as the reason for the change in policy. The service will still allow free use of authentication apps or hardware security keys as an additional account security layer.
Security researchers had matched email addresses to account names, providing an indication that the data leak was legitimate, but Twitter says that the data was gathered via a variety of publicly available sources.
The Irish DPC probe centers on an API vulnerability that appears to have been exploited by multiple parties before being detected and remediated. The data breach first came to light in August and was acknowledged by Twitter.
Vulnerability in Twitter's API in 2021 caused a data leak that exposed private user profile information of at least 5.4 million users. The information is now available for free via a dark web forum.
The now-public whistleblower allegations that Twitter may have active foreign spies on its payroll are sure to raise concerns about insider threats at companies everywhere. But focusing only on potential spies is a mistake.
A shocking whistleblower report from Peiter ‘Mudge’ Zatko, a well-known cybersecurity expert who served as Twitter's head of security from mid-2020 to early 2022, asserts that the company is "grossly negligent" in "several areas" of information security and privacy protections.
The problem stems from developers failing to remove the Twitter API keys they use for authentication from the app before they release it to the public. This creates the possibility of account hijacking.
The primary concern with Twitter’s zero-day security breach is that authoritarian governments might tie names to the anonymous accounts of activists, political opposition and journalists they are targeting.
Twitter has in recent years has begun periodically requiring phone number checks for "account security." What users have not always been aware of is that these items have been added in to Twitter's internal personalized advertising system.