By Nathalie Voit
A vulnerability on Twitter left 5.4 million Twitter accounts exposed to malicious actors, BleepingComputer reported on August 5.
The now patched zero-day exploit occurred in December 2021 after an update to Twitter’s code that summer left its systems vulnerable, Twitter disclosed on Friday.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems,” the company said. “As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021.”
“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled,” the social media platform said in a security advisory. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
The hacker obtained the personal information of 5,485,636 Twitter users by taking advantage of the bug. The data breach exposed key information associated with those 5.4 million accounts, including users’ follower count, screen name, login name, location, URL, and profile picture. The attacker also obtained a verified email address or phone number.
BleepingComputer said the stolen data was being offered for $30,000. However, the publication later learned that two separate threat actors had purchased the account ID list for less than the original asking price. Additionally, the bad actor told BleepingComputer that the data would likely be released for free in the near future.
For its part, Twitter said it would notify users whose accounts were compromised. However, it acknowledged that it could not confirm every account that may have been potentially impacted due to the security loophole.
