Exploited Twitter vulnerability led to over 5 million account compromise

The vulnerability allows the attackers to link one's Twitter account by using an email or phone address

The social media giant Twitter revealed on Friday that many of its users' accounts could have been compromised. According to the press release on August 5, the vulnerability within the platform could allow an unknown hacker to enter a phone number or an email address into the log-in flow and easily link it to the specific account, regardless if the user had this information hidden within their account settings.

The social media platform took responsibility for the potential privacy and security breaches due to it overlooking it and claimed the following:^[1]

We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened. While there’s no action for you to take specific to this issue, we want to share more about what happened, the steps we’ve taken, and some best practices for keeping your account secure.

The flaw was known for awhile

According to the company's statement, code change was initially performed in June 2021, with its potential flaws uncovered in January 2022, thanks to its bug bounty program. The bug lay within Twitter's Android client and occurred whenever users went through the authorization process.

The data breach was disclosed six months later only because it came to light that an unauthorized actor managed to take advantage of the flaw and is now selling it on the illegal hacking community boards of Breach Forums. According to the Restore Privacy security team, which investigated the incident more closely, the account information of 5.4 million Twitter users is being offered for $30,000.

Taking of Twitter's missteps, it had to pay a $150 million fine back in May for the platform itself abusing personally-identifiable information without consent.^[2] The U.S. Justice Department claimed that the platform was using security verification information to expose users to targeted advertisements, violating users' privacy in this way.

Precautionary measures to consider

Data breaches are not uncommon, and they happen all the time, even to the most high-profile corporations or even governmental institutions. Software vulnerabilities are among the most known methods of hackers breaching networks or websites and extracting the data of their users. Unfortunately, the consequences of this can be rather dire, so it is important to take some precautionary measures.

With more than 200 million active monthly users, Twitter is used by many people worldwide, and you are likely to have an account as well. Everyone with a Twitter account could be affected by the breach, so the social platform urges users to take some form of action to protect their privacy – enabling two-factor authentication should be a must for all Twitter users.

According to a HackerOne user “zhirinovskiy” who found and reported the initial bug to Twitter, the flaw, if exploited, could pose a serious threat to users' privacy and security:^[3]

This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities

The Social media giant said it is in the process of identifying and notifying all the affected users, although it did not officially state precisely how many accounts were affected.