Twitter on Friday confirmed a December 2021 security breach that stole data from more than 5.4 million user accounts using a zero-day exploit — reports BleepingComputer.
The hack exploited a vulnerability in the mechanism that Twitter lets users link email addresses and phone numbers to their accounts.
Threat actors were able to submit an email address or phone number and verify if it was associated with an existing Twitter account. In case it was, the exploit allowed them to retrieve the associated account ID and use it to scrape all of the user’s public information.
“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” Twitter explained in a security advisory.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
However, those behind the hack were ultimately able to collect information from 5,485,636 Twitter accounts. Data leaked as part of the breach included the follower counts, screen names, login names, locations, profile picture URLs, and other information of affected users.
All of the data was compiled and put up for sale on the dark web for $30,000 USD. BleepingComputer was able to confirm that the data block was sold to at least two parties for less than the asking price. In addition, the publication believes the information might be released for free in the future.
Alongside confirming the hack, Twitter also said it has started notifying affected users of whether their phone numbers or email addresses were exposed as part of the data breach. The social media company also has so far been unable to determine exactly how many users were impacted by the breach.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter warned in its advisory.
No passwords were exposed by the hack, but Twitter is encouraging users to enable 2-factor authentication anyway. Users should also beware of targeted phishing campaigns if any of their personal information was leaked.
Twitter has been having a rough few months as of late. The company reported disappointing second-quarter financials last month and is currently embroiled in a legal battle with celebrity billionaire Elon Musk to get him to follow through on his $44 billion bid for the company.
