The company says it has fixed the zero-day exploit used in the attack
Zero-day exploits are a threat to the technology industry with web browsers – Chrome and Firefox – being particularly vulnerable to these threats. Although Google is continuing with zero-day detections, malicious actors are always looking for security holes in all kinds of services. Twitter was the target of such an attack in December 2021, with the individual responsible claiming to have obtained key information from 5.4 million accounts on the platform. The company has now officially confirmed that the attack took place and that the zero-day exploit that was used to carry it out has been fixed.
While Twitter is releasing details of the breach, it doesn’t change the fact that the attacker still has access to user account data. The attacker told BleepingComputer last month that he was able to compile profiles of 5,485,636 accounts with information such as location, URL, profile picture and other data. They used a vulnerability that allowed anyone to search for a phone number or email to verify an active Twitter account and then obtain the account information.
Most notably, the data was being offered for around $30,000 according to the release, although it was reportedly sold for a significantly smaller amount to at least two separate people. The attacker also said at the time that the data could end up being released for free, putting the privacy of millions of users at risk.
For its part, Twitter said it learned about the flaw in January this year through its bug bounty program, HackerOne, adding that the vulnerability was introduced after an update to its code in June 2021. While the problem was initially fixed of this year. Says Twitter he didn’t consider the likelihood that the attacker already had the data. That changed last month after an initial wave of publicity over the attack in which Twitter was able to confirm that it used the zero-day exploit in question after passing one of the samples that had been put up for sale.
Twitter said it is notifying every affected user, but acknowledged that it cannot confirm every account that has been exposed due to this security gap. Accounts run by people who may be wanted by governments or other terrorist groups could use the breached data to track their targets. Passwords weren’t part of the data breach, but the company is advising users to enable two-factor authentication for their accounts — given that phone numbers are a threat vector, users must require either an authentication app or a key hardware, both of which can be configured in the Twitter app settings.
