Dive Brief:
- Twitter on Friday said it was impacted by a security vulnerability that allowed outside actors to discover the identity of certain accounts by just entering a phone number or email address.
- Twitter learned of the vulnerability through its bug bounty program in January, but the company said the bug was related to a June 2021 code update. Twitter said it fixed the problem immediately and, at the time, had no evidence anyone exploited the vulnerability.
- However, a July report by Restore Privacy indicated a threat actor had potentially leveraged the vulnerability and was attempting to sell the information. Twitter said it investigated that report and confirmed the issue after reviewing a sample of the data.
Dive Insight:
The vulnerability was originally disclosed by a HackerOne user named Zhirinovskiy, and directly impacted users of Twittter’s Android client. RestorePrivacy, on July 21, discovered someone attempting to sell the information on Breached Forums, an infamous cybercrime forum.
“We then downloaded the data sample that the seller provided and analyzed the data, ultimately concluding that it was legit and matched up with real Twitter users,” Sven Taylor, editor of RestorePrivacy.com, said via email.
After contacting the seller via Telegram, they learned the information was being offered for $30,000. Restore Privacy alerted Twitter about the data being offered in order to receive comment for its report.
While Twitter plans to directly notify impacted account holders, the company admits it cannot confirm every account that may have been affected. Twitter said it is particularly mindful of users who may operate under a pseudonym and may be targeted by state or other actors.
Twitter apologized to those users and suggested they stop using a publicly known email or phone number with their accounts.
Twitter urged all users to employ two-factor authentication, either using an authentication app or a hardware security key. They also urged users with any questions about their data security to reach out to the company’s Office of Data Protection.
Twitter has dealt with a couple of high profile security incidents in recent years. In October 2021, the social media firm rolled out security keys to employees to prevent future spear phishing attacks after a 17-year-old managed to access the accounts of several high profile users, including celebrities and professional athletes.
The company is currently embroiled in a legal dispute with billionaire Elon Musk over his $44 billion takeover attempt. Musk has attempted to pull the plug on the deal, claiming discrepancies over whether Twitter has fully disclosed the number of bots presented as legitimate accounts.
