Twitter confirms zero-day used to show knowledge of 5.4 million accounts

Twitter has confirmed a latest knowledge breach was attributable to a now-patched zero-day vulnerability used to hyperlink e-mail addresses and telephone numbers to customers’ accounts, permitting a threat actor to compile a listing of 5.4 million user account profiles.

Last month, BleepingComputer spoke to a threat actor who mentioned that they had been in a position to create a listing of 5.4 million Twitter account profiles utilizing a vulnerability on the social media website.

This vulnerability allowed anybody to submit an e-mail deal with or telephone quantity, confirm if it was related to a Twitter account, and retrieve the related account ID. The threat actor then used this ID to scrape the general public data for the account.

Twitter data being sold on a hacker forum
Twitter knowledge being bought on a hacker discussion board
Source: BleepingComputer

This allowed the threat actor to create profiles of 5.4 million Twitter customers in December 2021, together with a verified telephone quantity or e-mail deal with, and scraped public data, comparable to follower counts, display identify, login identify, location, profile image URL, and different data.

A redacted instance of one among these created Twitter profiles will be seen under.

A redacted example of one of the generated Twitter profiles
A redacted instance of one of many generated Twitter profilesles
Source: BleepingComputer

At the time, the threat actor was promoting the information for $30,000 and had instructed BleepingComputer that there have been patrons.

BleepingComputer later realized that two totally different threat actors bought the information for lower than the unique promoting value and that the information would doubtless be launched totally free sooner or later.

Twitter confirms zero-day used to gather knowledge

Today, Twitter has confirmed that the vulnerability utilized by the threat actor in December is similar one reported to and stuck by them in January 2022 as a part of their HackerOne bug bounty program., 

“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” Twitter disclosed in a security advisory at present.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

As a part of at present’s disclosure, Twitter instructed BleepingComputer that they’ve already begun to ship out notifications this morning to alert impacted customers about whether or not the information breach uncovered their telephone quantity or e-mail deal with.

At this time, Twitter tells us that they can not decide the precise variety of individuals impacted by the breach. However, the threat actor claims to have used the flaw to assemble the information of 5,485,636 Twitter customers.

While no passwords had been uncovered on this breach, Twitter is encouraging customers to allow 2-factor authentication on their accounts to stop unauthorized logins as a security measure.

For these utilizing a pseudonymous Twitter account, the social media firm suggests you retain your id as nameless as attainable by not utilizing a publicly identified telephone quantity or e-mail deal with in your Twitter account.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” warned the Twitter advisory.

Furthermore, as two totally different threat actors have already bought this knowledge, customers ought to be looking out for focused spear-phishing campaigns using this knowledge to steal your Twitter login credentials.


Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *


Prev
Hackers are actively exploiting password-stealing flaw in Zimbra

Hackers are actively exploiting password-stealing flaw in Zimbra

The Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra

Next
Peetch – An eBPF Playground

Peetch – An eBPF Playground

peetch is a set of instruments geared toward experimenting with completely

You May Also Like
Space Station View of Noctilucent Clouds

Subscribe our blog for free!

Processing…
Success! You're on the list.

By clicking submit, you agree to share your email address with the site owner and Mailchimp to receive marketing, updates, and other emails from the site owner. Use the unsubscribe link in those emails to opt out at any time.