Twitter: Zero-day exposes data on 5.4 million users

Twitter learned about the breach through media reports

Micro-blogging site Twitter said on Friday that it had patched a zero-day bug that criminals had used to obtain information on 5.4 million users.

The flaw potentially exposed the identities of pseudonymous accounts by allowing anybody to input a known user's phone number or email address and find out whether it was connected to an active Twitter account.

Last month, a user of popular hacker hang-out Breached Forums offered to sell data apparently belonging to 5.4 million Twitter accounts for $30,000, according to RestorePrivacy.

Two distinct threat actors purchased the data for less than the initial asking price, and said they would release it for free in the future.

Twitter said on Friday that it learned about the vulnerability through its bug bounty programme in January.

That was when HackerOne member Zhirinovskiy reported a flaw that allowed an attacker to identify a Twitter account by the related phone number or email, even if the user had chosen to prevent this in the privacy options.

'The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings,' Zhirinovskiy wrote.

Twitter said the flaw was caused by an upgrade in June 2021.

'When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,' the company said.

Last month, Twitter discovered - through a media report - that someone had potentially exploited the zero-day and was attempting to sell the data they had compiled.

'After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,' it said.

Twitter is now contacting the affected users, although it admitted it cannot confirm every account that was exposed.

The company says it is aware of the risks the breach poses to members who use a pseudonymous account to protect their privacy.

While passwords were not among the stolen information, Twitter is urging users to enable two-factor authentication. Given that the phone number is the key threat vector, users are advised to use either an authentication app or a hardware key, both of which may be configured using Twitter's mobile app.

This is just the latest security incident to hit Twitter in recent years. As part of a settlement with the US Federal Trade Commission in May, Twitter agreed to pay $150 million over misuse of users' phone numbers and email addresses for targeted advertising.