The massive data breach suffered by Twitter exposed the emails and phone numbers of its customers, which may have affected more than 5 million users.
In late July, a threat actor compromised the data of 5.4 million Twitter accounts obtained by exploiting a now-fixed vulnerability in the popular social media platform.
Threat actors are selling stolen data on the popular hacking forum Breached Forums. In January, a report on Hacker claimed to have found a bug that could allow an attacker to look up a Twitter account by its associated phone number/email, even if the user had chosen to block this in their privacy options.
“The vulnerability allows any party without any authentication to obtain twitter account(this is pretty much equivalent to getting the account’s username) any User submits phone number/email by submitting even if user has Disable this action in privacy settings. The bug exists due to the authorization process used in Twitter’s Android client, specifically the process of checking for duplicate Twitter accounts. “ ” reads the description in a report zhirinovskiy filed via bug bounty platform HackerOne. “This is a serious threat as one can find not only users with limited ability to be found via email/phone number, but anyone with basic knowledge of scripting/coding An attacker could enumerate a large portion of Twitter’s user base unavailable prior to enumeration (creating a database, phone/email to username connection). These bases can be sold to malicious parties for advertising purposes, or used to tag celebrities in different malicious campaigns”
The seller claims that the database contains user data (i.e. emails, phone numbers) ranging from celebrities to companies. The seller also shared a sample of the data in the form of a csv file.
In August, Twitter confirmed that the data breach was caused by a now-patched zero-day vulnerability submitted by researcher zhirinovskiy through bug bounty platform HackerOne, for which he was awarded $5,040.
“We wanted to let you know about a bug that allowed someone to enter a phone number or email address during the login flow in an attempt to learn if that information was associated with an existing Twitter account, and if so, which account” Read the Twitter Advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that would allow someone to identify the email or phone number associated with an account, or, if they knew a person’s email or phone number, they can identify their Twitter account, if it exists,” the social media company continued.
“This bug was due to our code update in June 2021. When we learned about this, we investigated and fixed it. At the time, we had no evidence that this vulnerability was exploited.”
This week, the website 9to5mac.com claimed that the data breach was different than what the company initially reported. The site reported that multiple threat actors exploited the same vulnerability, with different sources of data available in the cybercrime underground.
“Twitter suffered a massive data breach last year that exposed more than 5 million phone numbers and email addresses, worse than initially reported. We’ve seen evidence that the same security hole was exploited by multiple bad actors, And the hacked data has been sold on the dark web by multiple sources.” Read the post by 9to5mac.com
9to5MacThe claim is based on the availability of a dataset containing the same information provided by different threat actors in different formats. Sources told the website that the database was “just one of many documents they saw”. It appears that the only accounts affected are those with the “Discoverability | Phone Options (difficult to find in Twitter’s settings)” will be enabled in late 2021.
archive seen 9to5Mac Includes data on Twitter users belonging to the United Kingdom, almost every EU country, and parts of the United States.
“I got multiple files, one for each phone number country code, containing the phone number Twitter account names for the entire country phone number space from +XX 0000 to +XX 9999. ’” the source told 9to5Mac. “Any twitter account with discoverability | Dataset that lists phone options enabled in late 2021. “
Experts speculate that multiple threat actors could access the Twitter database and combine it with data from other security breaches.
The security researcher behind the account @ChadLord (Twitter after the revelation) told 9to5Mac, “The email-Twitter pairing was derived by running the existing large database of 100 million+ email addresses through this Twitter discoverability bug.”
The researchers told the site they would contact Twitter for comment, but the entire media relations team has left the company.
UPDATE: After discussion with colleagues @sonoclaudio, we noticed posts on the popular offending forum reporting 1.4 account suspensions. Now the question is, why is the data still present in the database months after the account was suspended? How long is Twitter’s retention period? Is Twitter Violating the GDPR for European Users?
Follow me on Twitter: @securityaffairs and Facebook and mastodon
(security affairs – Hacking, Twitter)