In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. The microblogging platform was able to confirm that the breach occurred through a 0-day vulnerability in Twitter's systems. As a result of this security flaw, anyone submitting an email address or phone number to Twitter’s systems would be shown which account is associated with that email address or phone number. The bad actor responsible for the breach exploited this vulnerability and created a database of publicly scraped data.

Twitter's vulnerability

This vulnerability had already been identified by a user called 'zhirinovskiy' as part of the HackerOne bug bounty program in December 2021. The bug bounty program, launched by Twitter in 2014, enlists the help of the hacker community to help organisations find and fix critical vulnerabilities, before threat actors in the criminal landscape can exploit them. 'Zhirinovskiy' offered a detailed explanation of how the vulnerability could be exploited, and described it as a dangerous threat that even bad actors with low-level technical skills could take advantage of. It appears that Twitter rewarded 'zhirinovskiy' with a $5,040 bounty for the discovery.

After becoming aware of the vulnerability, Twitter investigated and fixed the bug, which seemed to have inadvertently originated following an update to the platform’s code in June 2021. According to Twitter, at the time there was no evidence that the vulnerability had been exploited. The company later confirmed that the bad actor must have taken advantage of the vulnerability before it was addressed and fixed.

In July 2022, a user going by the moniker 'devil' advertised on a post in an underground forum, the data of 5.4 million Twitter users, including information on the accounts of celebrities and major companies. The owner of the underground forum verified and confirmed the authenticity of the data, which included verified phone numbers and email addresses, in addition to scraped public information including follower count, screen name, location, picture URL and login name. According to cybersecurity researchers, the threat actor was offering the data for sale for no less than $30,000. In a later conversation, the threat actor disclosed the data had been sold to two bad actor for less than the previously mentioned price. Following the natural lifecycle of stolen data, the compromised data will most likely appear for free on other underground forums once the sales possibilities have been exhausted.

The risk to privacy

While the data breach does not expose passwords or financial information, it still poses a significant treat to Twitter users’ privacy. The security breach is especially worrying for the pseudonymous accounts of users who wish to keep their identity private on the platform. According to recent estimates, around 25% of the Twitter accounts of its over 300 million users are pseudonymous or partially anonymous. In a public statement Twitter recognised the concerns of this privacy breach, highlighting how users with pseudonymous account could be targeted by state or other actors. This is especially worrying for users who could face persecution in oppressive regimes, as well as for whistle-blowers, activists, and political opposition, who decided to not disclose their identities on the platform for security reasons. The breach also presents a risk to members of ethnic, religious and sexual minority groups, whose identity could now be revealed to the general public without their consent. The breach also poses the risk of spearphishing attacks to the users of the affected accounts.

Twitter disclosed it was in the process of alerting users who were affected by the data breach. However, the microblogging platform recognised that it will not be able to determine and confirm every account that was impacted. The company encouraged users to enable 2-factor authentication as a security measure. It also suggested to users who wish to remain anonymous to not link publicly known phone numbers or email addresses to their Twitter accounts.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list

https://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/

https://www.cpomagazine.com/cyber-security/twitter-confirms-zero-day-security-breach-exposed-anonymous-accounts/

https://fortune.com/2022/07/26/twitter-user-data-breach-hacker-lists-database-of-5-million-users-for-sale/ 

https://hackerone.com/twitter?type=team

https://www.malwarebytes.com/blog/news/2022/08/twitter-confirmed-july-2022-data-breach-affecting-5.4m-users 

https://restoreprivacy.com/twitter-vulnerability-exposes-5-million-accounts/

https://tech.co/news/twitter-breach-of-5-4-million-users-could-expose-anonymous-accounts

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.