Twitter was forced to investigate the incident when a hacker offered the personal details of 5.4 million Twitter users on a hacker forum for $30,000 last month.
On Friday, Twitter confirmed that a threat actor exploited a vulnerability that risked user privacy on the platform. The company revealed that this breach had a “global impact,” and it is yet unclear exactly how many Twitter accounts got impacted.
Details of the Breach
According to Twitter’s press blog, the vulnerability was exploited to match private data with pseudonymous Twitter accounts. Reportedly, the vulnerability lets a bad actor match phone numbers or email IDs to any Twitter account linked to that information and identify the user.
A Twitter spokesperson explained that passwords weren’t compromised in this breach that occurred in January 2022.
It is worth noting that around two weeks back, a hacker named “Devil” was offering email IDs and phone numbers linked to the impacted accounts on a hacker forum which surfaced as an alternative to popular and now-sized Raidforums. The hacker was selling the data for no less than $30,000.
The post was connected to a vulnerability in Twitter, which was discovered in January 2022 by a security researcher. The flaw was discovered via HackerOne’s bug bounty platform used by Twitter. Twitter paid HackerOne bug bounty worth $5,040 for the issue.
The bug that caused the breach originated from an update to Twitter’s code in June 2021 and was fixed quickly, said Twitter.
On the other hand, according to the hacker, the impacted accounts were of “celebrities, OGs, and companies, among others.” On 22 July 2022, Twitter announced to investigate the information posted by Devil.
On Friday, it confirmed that the data was legitimate and was stolen by exploiting the same bug that was fixed.
“We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened.”
It is worth noting that at the time of publishing this article, the hacker had removed their advertisement from the hacker forum. The screenshot below however shows what the hacker was selling and was being offered:
The Nation-State Hacker Connection
The social media giant urges users to avoid adding information like a publicly known email ID or contact number to their Twitter accounts if they want to protect their identity from nation-state actors and other hackers.
Twitter further added that people with anonymous accounts could be easy targets for state-backed hackers. The data could be valuable for countries like China, Russia, North Korea, Iran, or Saudi Arabia as state actors are always looking for private accounts and often employ social engineering to reveal personal information.
Affected users will be notified accordingly. The company has decided to publish the update as it cannot confirm every account impacted by this breach. Although passwords weren’t exposed, the company asked users to enable 2FA and other security measures. It is, however, unclear if the hacker sold the data or not.
- APT Groups Trapping Targets with Clever Twitter Scheme
- Researcher logs into Trump’s Twitter with password MAGA2020
- Twitter hacker charged in sim swapping, cryptocurrency scheme
- Twitter Goes on Tor with New Dark Web Domain to Evade Censorship
- Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years