Threat actors took advantage of zero-day vulnerability to obtain information on more than five million of its 229 million users.
Twitter confirmed on Friday that a vulnerability in their software had allowed a threat actor to breach their data on its users, enabling them to look up a a phone number or email address and determine if it was associated with a Twitter account. The bug was a result of an update to their code back in June 2021 and at the time, the company had no evidence to suggest that it was being taken advantage of.
But in July 2022, Twitter learned through a press report that a threat actor had indeed taken advantage of the bug and compiled information of up to 5.4 million users in an attempt to sell it, a Twitter blog update said. The company admitted that they reviewed the data and saw that the threat actor had taken advantage of the bug before the developers were able to patch it.
How Did the Twitter Data Breach Occur?
A threat actor confirmed to Bleeping Computer last month that they were able to build a list of up to 5.4 million Twitter account profiles by simply using the vulnerability on the social media platform. The bug had in fact allowed anyone to input an email address or phone number and verify if it was associated with a Twitter account. If so, it would retrieve the associated account ID.
This was the method used by the threat actor to scrape the public information for each account they found. The list of 5.4 million user accounts was compiled in December 2021 and it included a verified phone number or email address, as well as follower counts, screen name, login name, location, profile picture URL, and other public information.
At the time, the threat actor attempted to sell the data for $30,000, confirming that there were indeed interested buyers. Two different entities purchased the data for less than the original selling price, increasing the possibility of the data being released for free in the future.
Twitter Data Breach Raises Concern Over Online Safety
The social media giant said that there were no passwords exposed in the Twitter data breach but encouraged its users to enable two-factor authentication to prevent unauthorized logins. They also recommended that those who use a pseudonymous Twitter account to keep their identity as anonymous as possible by refraining to use a publicly known phone number or email address on their accounts.
AP News reported that the Twitter data breach was especially concerning for many account users, especially human rights activists, who do not reveal their identities in their profiles for security reasons. The flaw was discovered by a security researcher earlier this year and the company paid a reported $5,000 bounty to the individual. Twitter also confirmed that the impact of the data breach was "global" and that they are unable to determine the location of the account holders who had been affected by it.
Related Article : Twitter Is Testing a New 'Custom Timelines' Feature - How Does It Work?