Twitter confirmed last week that the details of 5.4 million users were exposed due to a zero day vulnerability accessed by hackers in December.
The phone numbers and email addresses used by accounts for authentication was accessed by a bad actor and is now for sale on hacking websites and probably the dark web.
The vulnerability allowed anyone with access to be able to submit a phone number or email address to Twitter and retrieve the account ID linked to that data.
That’s quite the breach!
The hacker was apparently able to scrape the data of some 5.4 million users. The data included their phone number, email address, follower count, screen name, login details, location, profile image, Twitter URL and any other information linked to the account.
Props to Twitter, they did fix the vulnerability once they were made aware of it. Their HackerOne bug bounty program apparently alerted them to the flaw and they promptly fixed it.
Not fast enough though, as those 5.4 million accounts were compromised.
"In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person's email or phone number, they could identify their Twitter account, if one existed."
"This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability."
We now know that a lot of accounts were compromised as a result of that flaw.
Apparently, it was initially the hacker who gave the number as they were selling the resulting database for $30,000 a copy.
Twitter then confirmed the number in an advisory.
According to Twitter:
"We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors."
The database has apparently been bought more than once, so while the flaw has been fixed, there’s a lot of customer data out there in the wild.