Twitter data breach: exposed the data of 5.4 million accounts

Twitter data breach: exposed the data of 5.4 million accounts | White Blue Ocean

In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. The microblogging platform was able to confirm that the breach occurred through a 0-day vulnerability in Twitter's systems. As a result of this security flaw, anyone submitting an email address or phone number to Twitter’s systems would be shown which account is associated with that email address or phone number. The bad actor responsible for the breach exploited this vulnerability and created a database of publicly scraped data.


Twitter's vulnerability

This vulnerability had already been identified by a user called 'zhirinovskiy' as part of the HackerOne bug bounty program in December 2021. The bug bounty program, launched by Twitter in 2014, enlists the help of the hacker community to help organisations find and fix critical vulnerabilities, before threat actors in the criminal landscape can exploit them. 'Zhirinovskiy' offered a detailed explanation of how the vulnerability could be exploited, and described it as a dangerous threat that even bad actors with low-level technical skills could take advantage of. It appears that Twitter rewarded 'zhirinovskiy' with a $5,040 bounty for the discovery.

After becoming aware of the vulnerability, Twitter investigated and fixed the bug, which seemed to have inadvertently originated following an update to the platform’s code in June 2021. According to Twitter, at the time there was no evidence that the vulnerability had been exploited. The company later confirmed that the bad actor must have taken advantage of the vulnerability before it was addressed and fixed.

In July 2022, a user going by the moniker 'devil' advertised on a post in an underground forum, the data of 5.4 million Twitter users, including information on the accounts of celebrities and major companies. The owner of the underground forum verified and confirmed the authenticity of the data, which included verified phone numbers and email addresses, in addition to scraped public information including follower count, screen name, location, picture URL and login name. According to cybersecurity researchers, the threat actor was offering the data for sale for no less than $30,000. In a later conversation, the threat actor disclosed the data had been sold to two bad actor for less than the previously mentioned price. Following the natural lifecycle of stolen data, the compromised data will most likely appear for free on other underground forums once the sales possibilities have been exhausted.


The risk to privacy

While the data breach does not expose passwords or financial information, it still poses a significant treat to Twitter users’ privacy. The security breach is especially worrying for the pseudonymous accounts of users who wish to keep their identity private on the platform. According to recent estimates, around 25% of the Twitter accounts of its over 300 million users are pseudonymous or partially anonymous. In a public statement Twitter recognised the concerns of this privacy breach, highlighting how users with pseudonymous account could be targeted by state or other actors. This is especially worrying for users who could face persecution in oppressive regimes, as well as for whistle-blowers, activists, and political opposition, who decided to not disclose their identities on the platform for security reasons. The breach also presents a risk to members of ethnic, religious and sexual minority groups, whose identity could now be revealed to the general public without their consent. The breach also poses the risk of spearphishing attacks to the users of the affected accounts.

Twitter disclosed it was in the process of alerting users who were affected by the data breach. However, the microblogging platform recognised that it will not be able to determine and confirm every account that was impacted. The company encouraged users to enable 2-factor authentication as a security measure. It also suggested to users who wish to remain anonymous to not link publicly known phone numbers or email addresses to their Twitter accounts.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

2020 FireEye Breach

On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).

Read more
Juspay Data Breach

A statement released by Juspay on 5th January 2021 confirms that the Indian-based company has been the target of a cyberattack resulting in a large-scale data breach.

Read more
RDoS: adding the Ransom element to DoS | Read White Blue Ocean Blog
RDoS: adding the Ransom element to DoS

In a continuous effort to find new techniques to extort money from targets, cybercriminals have conceived a new and more aggressive version of the popularised Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This type of attack, named Ransom Denial of Service (RDoS), first appeared in 2016, but made a comeback in 2020 and 2021, taking advantage of the ever-increasing number of interconnected devices, and of the remote working arrangements caused by Covid-19.

Read more
The dangers of VPN credential leaks | White Blue Ocean
The dangers of VPN credential leaks

The increased reliance on VPNs made the latter an attractive target to cybercriminals. In particular, threat actors began exploiting one of the known weakest links in the chain: users’ passwords.

Read more
How Bad Actors Begin

There is a clear path of progression for a bad actor to go from unknown and uninvolved, to standing shoulder to shoulder with the internet's most sophisticated criminals. In this article we attempt to answer the question of how bad actors are made.

Read more
Could You Be the Target of Cyber Crime?
Could You Be the Target of Cyber Crime?

Bad actors, who may be any kind of hacker, carder, social engineer or otherwise, are always on the hunt for their next victim. how likely is it that you, yourself, are attacked in this way? Are you a target?

Read more
Log4Shell Vulnerability

On the 9th December 2021 a critical zero day vulnerability was publicly disclosed, found in a widely used Java library (a library of ready-made code packages that programmers can use for solving common issues) known as Log4j.

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!