Explore the Latest in Tech Innovations

Please enable JavaScript in your browser to complete this form.
Name

Twitter confirms zero-day used to expose data of 5.4 million accounts

Aug 11, 2022 | Security

SOURCE: BleepingComputer

Screen Shot 2022-08-11 at 2.36.04 PM
  • https://x.com/ITBriefcase
  • LinkedIn

By Lawrence Adams

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.

This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.

This allowed the threat actor to create profiles of 5.4 million Twitter users in December 2021, including a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information.

A redacted example of one of these created Twitter profiles can be seen below.

At the time, the threat actor was selling the data for $30,000 and had told BleepingComputer that there were interested buyers.

BleepingComputer later learned that two different threat actors purchased the data for less than the original selling price and that the data would likely be released for free in the future.

Twitter confirms zero-day used to collect data

Today, Twitter has confirmed that the vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program.,

“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” Twitter disclosed in a security advisory today.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

As part of today’s disclosure, Twitter told BleepingComputer that they have already begun to send out notifications this morning to alert impacted users about whether the data breach exposed their phone number or email address.

At this time, Twitter tells us that they cannot determine the exact number of people impacted by the breach. However, the threat actor claims to have used the flaw to gather the data of 5,485,636 Twitter users.

While no passwords were exposed in this breach, Twitter is encouraging users to enable 2-factor authentication on their accounts to prevent unauthorized logins as a security measure.

For those using a pseudonymous Twitter account, the social media company suggests you keep your identity as anonymous as possible by not using a publicly known phone number or email address on your Twitter account.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” warned the Twitter advisory.

Furthermore, as two different threat actors have already purchased this data, users should be on the lookout for targeted spear-phishing campaigns utilizing this data to steal your Twitter login credentials.

author avatar
  • https://x.com/ITBriefcase
  • LinkedIn
Kayla Giglio
How to Spot and Report Phishing Emails

How to Spot and Report Phishing Emails

Phishing emails are among the most common cyber threats today. Designed to trick recipients into giving up sensitive information or downloading malware, they account for over 90% of successful cyberattacks. These emails exploit human behavior rather than technical...

read more
3-minute assessment to better cyber security

3-minute assessment to better cyber security

Start taking control of your security posture with our 3-minute security assessment, a quick yet powerful tool designed to identify critical vulnerabilities and bolster your cyber resilience. In just a few moments, discover how your current security posture measures up and gain insights into actionable steps you can take to strengthen your defenses. Take the first step towards a more secure environment and empower your team to embrace proactive measures that protect your valuable assets. Join us today and make informed decisions to navigate the ever-evolving landscape of cybersecurity.

read more
Share This