A zero-day vulnerability in Twitter’s code base was responsible for a major data breach that is thought to have affected 5.4 million users, the social media firm has revealed.
The threat actor was hoping to sell the profile data for $30,000 on a cybercrime site. Some information was scraped from public Twitter profiles, including location and image URL. However, they were crucially able to link account emails and phone numbers with account IDs by leveraging the vulnerability.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” Twitter explained.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
However, the firm realized last month that a malicious actor had indeed been able to take advantage of the bug before it managed to patch it.
“We will be directly notifying the account owners we can confirm were affected by this issue,” it said.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
The firm is recommending those who use Twitter pseudonymously not to add a publicly known phone number or email address to their account.
It also suggested users switch on two-factor authentication for extra login security, using either a dedicated app or hardware security keys. However, no passwords were stolen in the attack.