Twitter says it has fixed a security vulnerability exploited by threat actors to gain account data of approximately 5.4 million users, which were put up for sale on a known hacking forum.
The vulnerability allowed the threat actor to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.
โIn January 2022, we received a report through our bug bounty program of a vulnerability in Twitterโs systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitterโs systems, Twitterโs systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.ย When we learned about this, we immediately investigated and fixed it,โ Twitter disclosed in aย security advisory.
The flaw was discovered by a security researcherย Zhirinovskyย in January 2022 who was awardedย $5,000 for disclosing the vulnerability.
โThe vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account,โ read the report.
โThis is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.โ
According to Twitter, this bug had resulted from an update to its code in June 2021, which was immediately identified and fixed in January 2022. At that time, the company had no evidence to indicate someone had taken advantage of the vulnerability.
Although the bug was patched, it was too late as the hackers had already exploited the vulnerability during the six-month window i.e. from June 2021 to January 2022, to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.
The microblogging platform said that it learned through a press report in July 2022 that someone had potentially exploited the bug and was offering to sell the information they had compiled ranging โfrom celebrities to companiesโ for $30,000.
โAfter reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,โ Twitter said. โWe will be directly notifying the account owners we can confirm were affected by this issue.โ
For those using a pseudonymous Twitter account, the company recommends users keep their identity as veiled as possible by not adding a publicly known phone number or email address to their account.
โWe are publishing this update because we arenโt able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,โ warned the Twitter advisory.
The microblogging platform has also encouraged everyone who uses Twitter toย enable 2-factor authentication usingย authentication apps or hardware security keys to protect their account from unauthorized logins.
Twitter said it did not know how many Twitter users were impacted by the breach and emphasized that no passwords were exposed.
โWe can confirm the impact was global,โ a Twitter spokesperson said via email. โWe cannot determine exactly how many accounts were impacted or the location of the account holders.”
