Twitter security flaw exposes personal data of 5.49 million accounts
Twitter has confirmed that users’ details were exposed in a data breach that exploited a bug the company fixed at the beginning of the year.
The social network said there was no evidence at the time that an attacker had used the security flaw to obtain any data.
However, a July press report revealed that data exfiltrated using the vulnerability was listed on Breached Forums by an attacker calling themselves “devil”.
Twitter examined a sample of the data and verified that it was authentic.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the login flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account,” Twitter said.
In January 2022, HackerOne user zhirinovskiy disclosed a security vulnerability that could let attackers access the phone numbers and email addresses associated with Twitter accounts.
The disclosure was coordinated. Twitter had fixed the issue by the time the bug was publicly revealed.
“This bug resulted from an update to our code in June 2021,” Twitter said.
When Twitter staff learned of the vulnerability, they investigated and fixed the issue, rewarding zhirinovskiy with $5,040.
In July 2022, RestorePrivacy reported that an attacker with the handle “devil” was selling the information of 5.49 million users compiled by exploiting the vulnerability disclosed by zhirinovskiy.
Twitter said it was taking steps to notify any users confirmed to be affected.
“We will be directly notifying the account owners we can confirm were affected by this issue.”
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.”
“To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account,” the company said.
While the breach did not expose passwords, Twitter has encouraged users to protect their accounts from hijacks by enabling two-factor authentication via applications or hardware security keys.
“While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorised logins.”