Twitter has acknowledged that the recently revealed user data breach was made possible by hackers using a zero-day vulnerability, which has now been fixed. The vulnerability existed in a feature that tied email addresses and phone numbers to user accounts, leading hackers to access a list file containing 5.4 million user accounts.
Last month BleepingComputer learned that a hacker said they could exploit a vulnerability on the social media site to create a list of 5.4 million Twitter account profiles.
This vulnerability allows anyone to submit an email address or phone number, verify that it is associated with a Twitter account, and retrieve the associated account ID. threat actors then use this ID to grab public information about the account.
This allowed the attackers to create 5.4 million Twitter user profiles in December 2021, including verified phone numbers or email addresses, and to grab public information such as the number of followers, screen names, logins, locations, profile picture URLs, and other information.
BleepingComputer has since learned that two different threat actors purchased the data for less than the original asking price and that the data may be released for free in the future.
Today, Twitter has confirmed that the vulnerability used by the threat actors in December was the same one they reported and fixed in January 2022 as part of their HackerOne vulnerability bounty program.
In today’s security bulletin, Twitter disclosed, “In January 2022, we received a report of a vulnerability through our Vulnerability Bounty Program that allowed someone to identify the email or phone number associated with an account, or, if they knew someone’s email or phone number, they could identify their Twitter account if one exists.”
