Twitter has confirmed that the recent data breach that exposed the data of 5.4 million accounts was caused by the exploitation of a zero-day flaw.
In late July, a malicious actor leaked data from 5.4 million Twitter accounts obtained by exploiting a now patched vulnerability in the popular social media platform.
The threat actor offered the stolen data for sale on popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that could be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user chose to prevent it in privacy options.
“The vulnerability allows any party without any authentication to obtain a twitter id(which is almost equivalent to getting the username of an account) from any user by submitting a phone/email number even if the user has prohibits this action in the privacy settings. The bug exists due to the authorization process used in Twitter’s Android client, specifically in the process of verifying a duplicate Twitter account. reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat because people can not only find users who have restricted findability by email/phone number, but any attacker with basic knowledge of scripting/coding can enumerate large chunk of twitter userbase unavailable to prior enumeration (create database with phone/email logins to username) These databases can be sold to malicious parties at advertising purposes or for the purpose of targeting celebrities in different malicious activities.”
The vendor claimed that the database contained data (i.e. emails, phone numbers) of users ranging from celebrities to corporations. The seller has also shared sample data in the form of a csv file.
“A few hours after the publication of the post, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the HackerOne report vulnerability above.” reads the message posted by RestorePrivacy.
“We uploaded the sample database for verification and analysis. It includes people from all over the world, with public profile information as well as the email or phone number of the Twitter user used with the account.
The seller told RestorePrivacy that they are asking at least $30,000 for the entire database.
Now, Twitter has confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne.
Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy a bounty of $5,040.
“We want to notify you of a vulnerability that allowed someone to enter a phone number or email address into the login flow in an attempt to determine if that information was linked to an existing Twitter account, and if yes, which specific account.” read twitter review. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew the A person’s email or phone number could identify their Twitter account, if there was one,” the social media company continues.
“This bug resulted from an update to our code in June 2021. When we learned of this, we immediately investigated and fixed it. At that time, we had no evidence to suggest anyone had taken advantage of the vulnerability.
The company is notifying affected users, it also added that it is aware of the risks caused by the security breach for users operating a pseudonymous Twitter account to protect their privacy.
The company pointed out that no passwords were exposed, but encourages its users to enable 2-factor authentication using authenticator apps or hardware security keys to protect their accounts from unauthorized logins.
BleepingComputer reported that two different hackers purchased the data for less than the original sale price. This means that threat actors could use this data to target Twitter accounts in the future.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, data leak)