Twitter has revealed that its July data breach, which resulted in millions of user accounts being offered for sale, was the result of an exploited zero-day vulnerability.
In late July, someone identified only by their handle, “devil”, posted to Breached Forums that they had 5.4 million Twitter user accounts and would sell the data for US$30,000 (S$41,367), as reported by Restore Privacy.
Twitter has now acknowledged that the account data was obtained through the exploitation of a zero-day vulnerability it first learned about in January 2022.
In a mea culpa published last week, Twitter explained that it was notified of the issue through its Hacker One bug bounty program.
A software update in July 2021 contained a user enumeration bug, the company said.
An attacker with knowledge of the bug could use telephone numbers to find out if a user account existed.
As “zhirinovskiy” explained in their Hacker One report, the bug meant an attacker could discover a Twitter account by phone number or email address, “even if the user has prohibited this in the privacy options”.
“The bug exists due to the process of authorisation used in the Android client of Twitter, specifically in the process of checking the duplication of a Twitter account."
Zhirinovskiy was paid US$5040 (A$7273) for the report.
As Twitter’s post confirmed, the bug “allowed someone to enter a phone number or email address into the log-in flow in an attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.”
Emails could also be used in the same way, Twitter’s post stated.
“When we learned about this, we immediately investigated and fixed it,” Twitter said.
“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
Twitter explained that it published the post because it was not able to contact all the affected users, especially those who were maintaining pseudonymous accounts.