At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.
The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.
"The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account." " reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. "This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities"
The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.
"A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above." reads the post published by RestorePrivacy.
"We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user's email or phone number used with the account."
The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.
Now Twitter confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne.
Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy with a $5,040 bounty.
"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account." reads the Twitter's advisory. "In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person's email or phone number, they could identify their Twitter account, if one existed," continues the social media firm.
"This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability."
The company is notifying the impacted users, it also added that it is aware of the risks caused by the security breach for those users operating a pseudonymous Twitter account to protect their privacy.
The company pointed out that no passwords were exposed, but encourages its users to enable 2-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.
BleepingComputer reported that two different threat actors purchased the data for less than the original selling price. This means that threat actors could use these data to target Twitter accounts in the future.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs - hacking, Data leak)
