Twitter has confirmed that a serious system vulnerability that allows a hacker to steal sensitive information such as an account’s linked phone number and email address was exploited earlier this year, but it has since been patched. The flaw was related to Twitter’s log-in flow, in which a bad actor could enter a phone number or email address and determine which Twitter account was associated with it.
The social media platform was made aware of the incident in January 2022, and an immediate patch was issued, but not before it was used to steal the data of 5.4 million accounts. Twitter claims that no passwords were compromised as a result of the hack, but the company has yet to identify all of the accounts affected. The company will notify the owners of the accounts that it knows were targeted that their account data was available on a dark web forum.
While 5.4 million is a staggering number the risks for pseudonymous accounts that want to conceal their identity for a variety of reasons are high. The best example would be whistleblower accounts, which face the risk of retaliation from both large corporations and government agencies.
What happened behind the scenes?
On the HackerOne forum in January, a cybersecurity expert with the username “Zhirinovsky” reported a Twitter vulnerability. The user described how the log-in pipeline vulnerability works and how simple it is to exploit in just a few steps. The key takeaway was that a malicious party could discover the linked Twitter account simply by using a phone number or email address. I discovered the bug in Twitter’s Android app.
Approximately two weeks later, a Twitter employee confirmed that the issue had been resolved and awarded Zhirinovsky a bug bounty of $5,040 for discovering and help resolve the “valid security issue” (via Restore Privacy). The patch, however, arrived too late. According to Restore Privacy, a bad actor using the username “devil” exploited the security flaw to scrape the data from 54,85,636 Twitter accounts.
It then listed the stolen information for sale on the notorious dark web hacking forum Breached Forums. “These users range from celebrities to companies, random, OGs, and so on,” wrote the hacker in his post (via Restore Privacy). Both the hacker and the experts confirmed the authenticity of the data at Restore Privacy. The hacker demanded only $30,000 for the data of over 5.4 million Twitter accounts.
Twitter also verified the authenticity of the information that had been leaked. Worryingly, BleepingComputer reports that two parties purchased the stolen user data with the intent of freely distributing it on the internet. Twitter, on the other hand, is encouraging users to take preventive security measures such as enabling two-factor authentication or using hardware security keys to keep their accounts secure.
Interestingly, this is not Twitter’s first security incident of this type. In 2019, Twitter disclosed details about a bug that allowed 17 million phone numbers to be linked to their respective Twitter accounts. This occurred just a few months after Twitter CEO Jack Dorsey’s account was hacked and antisemitic and racial slurs were posted.
Regardless of the scale of the most recent breach, the risks are very real, particularly for pseudonymous accounts under the scrutiny of state agencies or other parties with vested interests. Twitter recently revealed that requests for content removal from state actors have reached an all-time high, particularly in markets such as India, where the government is increasingly cracking down on journalists, human rights activists, and political opponents.