Twitter confirms zero-day used to expose data of 5.4 million accounts

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users' accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.

This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.

This allowed the threat actor to create profiles of 5.4 million Twitter users in December 2021, including a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information.

A redacted example of one of these created Twitter profiles can be seen below.

At the time, the threat actor was selling the data for $30,000 and had told BleepingComputer that there were interested buyers.

BleepingComputer later learned that two different threat actors purchased the data for less than the original selling price and that the data would likely be released for free in the future.

Twitter confirms zero-day used to collect data

Today, Twitter has confirmed that the vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program., 

"In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person's email or phone number, they could identify their Twitter account, if one existed," Twitter disclosed in a security advisory today.

"This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability."

As part of today's disclosure, Twitter told BleepingComputer that they have already begun to send out notifications this morning to alert impacted users about whether the data breach exposed their phone number or email address.

At this time, Twitter tells us that they cannot determine the exact number of people impacted by the breach. However, the threat actor claims to have used the flaw to gather the data of 5,485,636 Twitter users.

While no passwords were exposed in this breach, Twitter is encouraging users to enable 2-factor authentication on their accounts to prevent unauthorized logins as a security measure.

For those using a pseudonymous Twitter account, the social media company suggests you keep your identity as anonymous as possible by not using a publicly known phone number or email address on your Twitter account.

"We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors," warned the Twitter advisory.

Furthermore, as two different threat actors have already purchased this data, users should be on the lookout for targeted spear-phishing campaigns utilizing this data to steal your Twitter login credentials.