At least 5 million Twitter users impacted by zero-day hack, but the total could yet exceed 20 million.
On 5 August 2022, Twitter confirmed that a threat actor used a zero-day vulnerability to compile a database of user information. That vulnerability was fixed, Twitter said, in January 2022. However, Bleeping Computer has reported that the database, which includes non-public information of more than 5 million users, has now been shared for free within a breached data marketplace forum. The publication also reports that another database, potentially containing 17 million records, was created using the same vulnerability. Here’s what we know so far.
Database of 5,485,635 Twitter users shared by cybercriminals online
The Bleeping Computer report confirms that the database of 5,485,635 Twitter user records, initially offered for sale at $30,000 in July, has been shared on 24 November, for free, on the Breach Forums site. Most of the data, it would appear, is publicly known, such as Twitter usernames, login names, and verification status. However, the report also states that private information, such as telephone numbers and email addresses, is also included.
The information appears to have been gathered using an Application Programming Interface (API) vulnerability, as first disclosed by a hacker on the HackerOne bug bounty platform (who received a $5,000 payment from Twitter), enabling the data to be scraped. “APIs allow computers to communicate with one another, and account for around 80% of all the traffic that traverses the Internet. In short, APIs are very important and should be treated as such,” Ed Williams, director of SpiderLabs (EMEA) at Trustwave, says. “Yet, we still see common security-related issues around APIs, most notably authentication (or lack of) based issues, a lack of resource and rate limiting, and generic API security misconfigurations like TLS, error handling, and logging. We know from recent data breaches that a combination of these can yield significant amounts of personal data.”
Twitter confirms API zero-day vulnerability
In the August statement, Twitter said: “As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Twitter also confirmed it would be contacting any users affected to notify them of the issue. However, the statement continued: “…we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
Researcher claims a much larger database of stolen Twitter user data also exists
Another researcher, Chad Loder, has also claimed that a more extensive database of stolen data exists that is different from the previously shared one but contains information collected using the same API vulnerability. Loder posted to Mastodon, after being suspended from Twitter, with a redacted screenshot allegedly showing data from the new database, which Loder says includes “data from entire countries.” A sample of this database was obtained by Bleeping Computer, containing more than a million phone numbers for French Twitter users. The publication says it has since confirmed with multiple users that the numbers are genuine and that the database includes member lists from Europe and Israel as well as the U.S. “We were told that it consists of over 17 million records but could not independently confirm this,” Bleeping Computer states.
What does this mean to Twitter users?
“The immediate issues here will be leaked private numbers, which may lead to risks to victims of stalking or those voicing unpopular opinions, as well as, of course, for celebrities,” warns Martin Jartelius, chief security officer at Outpost24. “Also note that if you were attempting to stay anonymous on Twitter, correlations between your email and phone on your identity on other platforms might lead to your identification, so if you have voiced statements you are not ready to be associated with today, consider how to manage a situation where this might get exposed.”
“It is vital that anyone who receives an email purporting to be from Twitter in the coming weeks is very vigilant as it is likely to be a phishing email,” Jake Moore, global cybersecurity advisor at ESET, adds. “Hackers will no doubt attempt to gain access to people’s accounts and try to steal login credentials, so it is important people do not click on links from such emails and make sure Twitter two-factor authentication is turned on.”
I have reached out to Twitter Communications for a statement but have yet to hear back at the time of publication.
Get the best of Forbes to your inbox with the latest insights from experts across the globe.
Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.
https://www.forbes.com/sites/daveywinder/2022/11/29/zero-day-twitter-hack-confirmed-impact-could-exceed-20-million-users-report/amp/
