Twitter officially confirmed that a January breach led to the leak of information associated with 5.4 million accounts.
Two weeks ago, a hacker on the Breach Forums provided email addresses and phone numbers associated with the accounts, which they said ranged from “celebrities, companies, randoms, OGs, etc.”
Researchers immediately linked the post to a vulnerability in Twitter’s platform, which was discovered in January by a security researcher who reported the issue through HackerOne, which operates a bug bounty platform used by Twitter.
Twitter told The Record on July 22 that it would investigate the matter. On Friday, the company confirmed that the information was obtained through the vulnerability and that the stolen information was legitimate.
The social media giant said the vulnerability allowed anyone to enter a phone number or email address when logging in to find out if that information was linked to an existing Twitter account. It can also be used to identify the specific account associated with that information.
“We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened,” the company explained.
For those with pseudonymous Twitter accounts, the company said it is “deeply sorry[s] that this happened” and understands the risks that the incident may bring.
Twitter recommended not adding a publicly known phone number or email address to a Twitter account for those interested in keeping their identity hidden.
The company noted that the original bug that caused the breach came from a platform code update in June 2021.
“As a result of the vulnerability, if someone were to submit an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email address or phone number was associated with, if any. the company said.
They fixed the bug and claimed they had no evidence that it had been exploited. On the HackerOne platform, Twitter acknowledged the problem on January 6, paid a $5,040 bounty and fixed the vulnerability by January 13. The researcher confirmed that the vulnerability was fixed the same day.
But in July, RestorePrivacy reported that a hacker — nicknamed “devil” — was selling information compiled by exploiting the flaw.
Their security team reviewed a sample of it and confirmed it was legitimate.
Affected accounts will be notified directly, but Twitter said it decided to release the update because it was unable to confirm every account that was potentially affected.
Twitter added that it is “particularly mindful of people with pseudonymous accounts who may be targeted by the state or other actors.”
The company added that although no passwords were exposed, everyone should enable two-factor authentication or other security measures.
RestorePrivacy spoke with the hacker after the breach in July. The hacker said they are selling it for “nothing lower than 30k”. It is unclear whether the data land has been sold.
