Twitter has confirmed a latest knowledge breach was attributable to a now-patched zero-day vulnerability used to hyperlink e-mail addresses and telephone numbers to customers’ accounts, permitting a threat actor to compile a listing of 5.4 million user account profiles.
Last month, BleepingComputer spoke to a threat actor who mentioned that they had been in a position to create a listing of 5.4 million Twitter account profiles utilizing a vulnerability on the social media website.
This vulnerability allowed anybody to submit an e-mail deal with or telephone quantity, confirm if it was related to a Twitter account, and retrieve the related account ID. The threat actor then used this ID to scrape the general public data for the account.
This allowed the threat actor to create profiles of 5.4 million Twitter customers in December 2021, together with a verified telephone quantity or e-mail deal with, and scraped public data, comparable to follower counts, display identify, login identify, location, profile image URL, and different data.
A redacted instance of one among these created Twitter profiles will be seen under.
At the time, the threat actor was promoting the information for $30,000 and had instructed BleepingComputer that there have been patrons.
BleepingComputer later realized that two totally different threat actors bought the information for lower than the unique promoting value and that the information would doubtless be launched totally free sooner or later.
Twitter confirms zero-day used to gather knowledge
Today, Twitter has confirmed that the vulnerability utilized by the threat actor in December is similar one reported to and stuck by them in January 2022 as a part of their HackerOne bug bounty program.,
“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” Twitter disclosed in a security advisory at present.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
As a part of at present’s disclosure, Twitter instructed BleepingComputer that they’ve already begun to ship out notifications this morning to alert impacted customers about whether or not the information breach uncovered their telephone quantity or e-mail deal with.
At this time, Twitter tells us that they can not decide the precise variety of individuals impacted by the breach. However, the threat actor claims to have used the flaw to assemble the information of 5,485,636 Twitter customers.
While no passwords had been uncovered on this breach, Twitter is encouraging customers to allow 2-factor authentication on their accounts to stop unauthorized logins as a security measure.
For these utilizing a pseudonymous Twitter account, the social media firm suggests you retain your id as nameless as attainable by not utilizing a publicly identified telephone quantity or e-mail deal with in your Twitter account.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” warned the Twitter advisory.
Furthermore, as two totally different threat actors have already bought this knowledge, customers ought to be looking out for focused spear-phishing campaigns using this knowledge to steal your Twitter login credentials.