Twitter Confirms Zero-Day Bug That Exposed 5.4M AccountsVulnerability Allowed Threat Actors to Gain Access to Personal Information
Social media platform Twitter confirms that a zero-day vulnerability allowed threat actors to gain access to the personal information of 5.4 million user account profiles.
The compromised profiles, which were earlier put on sale in a cybercrime forum, were breached after a now-patched bug allowed anyone to enter a phone number or an email address of a user and learn if that information was connected to an existing Twitter account and, if so, which specific account.
Information Security Media Group could not independently verify the number of user accounts affected so far. But Bleeping Computer in a report in July says it spoke with the threat actor who created a list of 5.4 million Twitter account profiles using this vulnerability and offered it for sale of the compromised data for $30,000.
"While there's no action for you to take specific to this issue, we want to share more about what happened, the steps we've taken, and some best practices for keeping your account secure," Twitter said in a Friday statement.
The company also says that no passwords were exposed and recommended that Twitter users enable two-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.
A spokesperson for Twitter was not immediately available to comment.
Twitter says it was notified about this specific vulnerability in its systems through its HackerOne bug bounty program in January.
The company awarded a security researcher a $5,040 bounty for his findings.
Twitter says that the bug resulted from an update to its code in June 2021, and in 2022 it learned through a press report that bad actors had leveraged the bug and were offering to sell the information they had compiled.
The company says that as soon as it learned about this vulnerability, it investigated and fixed it.
Twitter says it reviewed a sample of the available data for sale on the cybercrime forum and confirmed that the bad actors had taken advantage of the issue before it was addressed.
Twitter also says that it will be directly contacting affected account owners.
"We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors," the statement says.
This vulnerability comes after the social media giant was recently slapped with a $150 million penalty for deceptively using the account security data of millions of users for targeted advertising.
The U.S. Justice Department and the Federal Trade Commission said that the company knew or should have known that its conduct violated the 2011 FTC Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users (see: Twitter Fined $150M for Misusing Private Data to Sell Ads).