Twitter confirms a breach due to a zero-day leak: 5.4 million accounts affected

Twitter has confirmed in recent days that it has been the subject of a data breach resulting from the exploitation of a zero-day vulnerability which led to the subtraction of a volume of data referring to 5.4 million user account profiles.

The flaw has now been fixed, but it has been able to allow anyone with knowledge of its existing one to retrieve the ID of any Twitter account with a simple verification of the email address or phone number. The ID was then used to retrieve public information about the account.

As of December 2021, an unidentifiable threat actor currently has exploited the vulnerability to compile a list containing the information of 5.4 million Twitter users, including for each of them a telephone number or an email address, together with other public information such as the number of followers, the name used on the social network, the position, the URL of the profile image and so on. The data was then put up for sale for $ 30,000 and subsequently purchased by two other threat actors.

The vulnerability was addressed by Twitter in January 2022 as part of their bug bounty program. The company has officially communicated in recent days: “In January 2022, we received a report via our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew the email or phone number of a person could identify any associated Twitter account “.

Twitter has already sent notifications to interested users who found themselves in the list of 5.4 million profiles in spite of themselves. However, the company is unable to determine the exact number of people who have been victims of this violation. As noted above, this action only allowed for public information to be recovered, and although no passwords were exposed, Twitter suggests users enable two-factor authentication on their accounts to reduce the risk of unauthorized access. The company also suggests, to those who use a pseudonymous account, to keep their identity confidential and anonymous by avoiding using publicly known telephone numbers or emails.

Since the data is in the hands of someone who has an interest in using it, the most likely risk is that of identity theft and spear-pishing attacks for the purpose of stealing login credentials.