Twitter has confirmed that a serious system vulnerability that allows a hacker to steal sensitive information like linked phone number and email address for an account was exploited earlier this year, but it has now been patched. The vulnerability was associated with Twitter’s log-in flow, where a bad actor could enter a phone number or email address, and find out what Twitter account was associated with it.
The social media platform was made aware of the incident in January 2022, and a patch was immediately issued, but not before it was abused to steal the data of 5.4 million accounts. Twitter says no passwords were leaked as part of the hack, however, the company is yet to identify all the accounts affected. The company will be reaching out to the accounts that it knows were targeted, notifying the owners that their account data was up for grabs on a dark web forum.
While 5.4 million is a staggering number in itself, the risks are high for pseudonymous accounts that want to hide their identity for various reasons. The best example would be whistleblower accounts, which face risks of retaliatory action from deep-pocket companies as well as state agencies.
What happened behind the scenes?
Alberto Garcia Guillen/Shutterstock
In January, a cybersecurity expert with the username “zhirinovskiy” reported a Twitter vulnerability on the HackerOne forum. The user explained in detail how the log-in pipeline vulnerability works and how easy it was to execute within a few steps. The key takeaway was that by just using a phone number or email address, a malicious party could find out the linked Twitter account. The flaw was found in Twitter’s Android app.
Roughly two weeks later, a Twitter employee confirmed that the issue was fixed and also awarded a bug bounty worth $5,040 to zhirinovskiy for finding and helping fix the “valid security issue” (via Restore Privacy). However, the patch arrived too late. According to Restore Privacy, a bad actor going by the username “devil” had already exploited the security flaw to scrape the data of 54,85,636 Twitter accounts.
The stolen data was then listed for sale on the notorious dark web hacking community called Breached Forums. “These users range from Celebrities, to Companies, randoms, OGs, etc.” the hacker wrote in his post (via Restore Privacy). The authenticity of the data was verified by the hacker as well as the experts over at Restore Privacy. Interestingly, the hacker demanded a paltry sum of $30,000 for the data belonging to over 5.4 million Twitter accounts.
Twitter also authenticated the leaked information and confirmed that the leak was legitimate. Worryingly, BleepingComputer reports that two parties actually purchased the stolen user data, with the intention of releasing it for free on the internet . Twitter, on the other hand, is asking users to take preventive security measures such as enabling two-factor authentication or using hardware security keys to keep their accounts safe.
Interestingly, this is not the first security incident of its kind for Twitter. In 2019, Twitter revealed details of a bug that allowed the matching of 17 million phone numbers to their respective Twitter accounts. This happened just a few months after Twitter CEO Jack Dorsey’s account was hacked to post antisemitic messages and racial slurs.
Irrespective of the scale of the latest breach, the risks are very much real, especially for pseudonymous accounts that are under the scanner of state agencies or other parties with vested interests. Twitter itself revealed a few weeks ago that requests for content takedown from state actors have reached an all-time high, especially in markets like India, where the government is increasingly cracking down on journalists, human rights activists, and political opponents.