Twitter data breach far worse than initially reported

More than one actor used the same zero-day bug to steal user data from the platform

More than 5.4 million Twitter users' personal information had been accessed by a number of bad actors, not just one

Image:
More than 5.4 million Twitter users' personal information had been accessed by a number of bad actors, not just one

A Twitter data breach last year that exposed nearly 5.4 million phone numbers and email addresses was far worse than initially thought.

9to5Mac says it has seen evidence that more than one malicious actor used the same Twitter zero day vulnerability to steal data from the platform, and that the same data has been put up for sale on the dark web by a number of sources.

It was previously believed that only a single hacker obtained had accessed the data.

In August this year, Twitter admitted it learned about the vulnerability through its bug bounty programme in January. The flaw potentially exposed the identities of pseudonymous accounts by allowing anybody to input a known user's phone number or email address and find out whether it was connected to an active Twitter account.

HackerOne member Zhirinovskiy discovered and reported the flaw and said it allowed an attacker to identify a Twitter account, even if the user had chosen to prevent this in the privacy options.

"The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings," Zhirinovskiy wrote.

The flaw was caused by an upgrade in June 2021.

'When we learned about this, we immediately investigated and fixed it,' Twitter said, adding that it had no evidence at that time 'to suggest someone had taken advantage of the vulnerability.'

It wasn't until July that Twitter discovered - through a media report - that someone may have exploited the zero-day, and was attempting to sell user information.

A user of popular hacker hang-out Breached Forums offered to sell data belonging to around 5.4 million Twitter accounts for $30,000, RestorePrivacy said.

'After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.'

9to5Mac now claims to have seen evidence that more than the original 5.4 million users' information had been accessed - and by a number of bad actors, not just one.

The publication saw a dataset containing the same information RestorePrivacy saw, in a different format. A security researcher told the news outlet that the dataset was definitely stolen by a different threat actor, and that this was just one of a number of files they have seen.

The data covers Twitter users in the UK, EU and some parts of the USA.

"I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country's telephone number space from +XX 0000 to +XX 9999," the source said.

"Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset."

Numerous dark web sources are now selling the data for about $5,000, and bad actors are thought to have been able to download about 500k records per hour.

Additional data for sale

Last week Pompompurin, owner of the Breached hacking forum, told BleepingComputer that they exploited the flaw and created the massive dump of Twitter user records after another threat actor going by the name of 'Devil' disclosed the vulnerability to them.

In addition to the 5.4 million records initially available for purchase, there were also an additional 1.4 million Twitter profiles for suspended users that had been collected using a different API.

Pompompurin claimed this second data dump of 1.4 million accounts was only privately distributed to a select group of individuals.

"Even larger data dump"

Security expert Chad Loder has claimed on Twitter that the vulnerability was used to create even larger data dump. This data dump potentially contains tens of millions of Twitter records, including public data like verified status, account names, Twitter IDs, bios, and screen names, as well as personal phone numbers gathered using the same API bug.

"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder wrote on Twitter.

Loder was suspended from Twitter shortly after making his post. Later, Loder published a sample of this wider data leak on Mastodon with redactions.

BleepingComputer said it obtained a sample file of this previously unreported data leak, which contained 1.3 million phone numbers for users in France.

"We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real," it added.