This week, Twitter has confirmed that a data breach has allowed an attacker to gain access to the account details of approximately 5,400,000 Twitter users. In this blog, we dive deeper into the data breach and this blog post may be updated as more and more details become available.

What Happened?

The news about the data breach struck the web approximately in the beginning of August 2022. On August 5, 2022, Twitter has confirmed that they had suffered a data breach in July and that it led to the attacker gaining access to approximately 5,400,000 Twitter users and their details. We will start from stating the fact that the way Twitter has titled their blog in which they notified all of their users was quite interesting – their initial blog was titled “An incident impacting some accounts and private information on Twitter”

In the blog, Twitter has said the following:

“In January 2022, we have received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

In the blog, Twitter has also said that the bug in question (see statement above) has resulted from an update to their code in June 2021 and assured their users that when they learned about this, they had immediately investigated and fixed it and at that time, Twitter had no evidence that would suggest that someone had exploited the vulnerability beforehand – the security flaw was reported to Twitter by a security researcher going by an alias of “Zhirinovskiy” who described all of the potential risk this vulnerability could cause if exploited correctly – according to him, an attacker could have successfully enumerated a “big chunk of the Twitter user base.”

According to the hacker who spoke to a journalist representing BleepingComputer, users could feed email addresses and phone numbers to a specific place in Twitter to determine if a specific email address or phone number is associated with a Twitter account and if it is, retrieve the ID of that account.

The vulnerability was allegedly discovered on January 1st, 2022 and patched on January 6th of the same year. Twitter paid the security researcher $5,040 and they’ve parted own ways – Twitter was happy because no user details were already exposed (or so they thought) and the security researcher – Zhirinovskiy – was happy because he got paid. Win-win, yeah?

Well, not quite.

In July 2022, Twitter said that they’ve read a press report and learned that leveraged the vulnerability discussed above and was offering to sell the information on the web. Twitter has gotten a hold of the data and, unfortunately, confirmed that they’ve been indeed targeted.

The good news is that Twitter stated that no user passwords were exposed – however, the company still urged everyone of their users to enable two-factor authentication where possible. The benefits of doing so would be obvious – if a bad actor would log in to a Twitter account, they would face another step that would necessitate the confirmation of their identity via another medium the user has a hold of.

For those who would like to dig deeper into the vulnerability itself, we would like to let you know that the vulnerability report is available here since the flaw is now successfully patched. You might want to educate yourself on the vulnerability before reading further.

Digging Deeper

Twitter themselves have stated that they’ve learned that somebody was offering to sell the data on the web (see above.) What does that mean exactly?

That means that Twitter was a victim of the typical data breach cycle:

A hacker breaches a system X -> the attacker sells data to other nefarious parties -> nefarious parties use the credentials obtained from the system X to attack system Y, etc.

Such a cycle has its obvious benefits for the attacker, and, sadly, consequences for innocent victims.

An article by CSHub that has appeared shortly after the breach has stated that “The hacker, who goes by the alias ‘devil’, claimed in a post on hacking forums (name redacted) that the data stolen includes email addresses and phone numbers from celebrities, companies, randoms, OGs, etc.” where OG’s refer to Twitter users that either have short or desirable names.

In his post, the hacker said that he will not be accepting offers (for the data set) that are “lower than [$30,000].”

The hacker also shared a sample of the data which a possible way of how Twitter could have initially verified the breach without getting access to the data itself, and named the exact number of affected accounts – 5,485,636 users. Here’s a redacted example that was provided by BleepingComputer:

Image 1 – a set of sample data provided by BleepingComputer

The hacker(s) had allegedly obtained the data as far back as December 2021 and was allegedly possible (details from Zhirinovskiy’s report) “due to the process of authorization used in the Android Client of Twitter, specifically in the proccess of checking the duplication of a Twitter account.”

Some people may have speculated that the hacker selling the data was indeed Zhirinovskiy, but according to a report by BleepingComputer, the hacker(s) in question are not affiliated with each other – the hacker going by the alias of “devil” told BleepingComputer that he’d guessed that a lot of people were trying to connect the security researcher to him and that he “would be pissed” if he was him. He also mentioned, again, that he has nothing to do with the security researcher who’d reported the bug on HackerOne, nor HackerOne itself.

The Aftermath

Shortly after the data breach, Twitter has told BleepingComputer that they’ve already begun to send out notifications to alert impacted users of their exposure in the data breach – keeping in mind how rapidly Twitter has turned around and fixed this zero-day vulnerability, such news are truly amazing. And while Twitter representatives say that they were unable to determine the exact number of people impacted by the data breach, according to the details by the hacker, as many as 5,485,636 Twitter accounts are at risk – this figure is yet to be confirmed though.

Summary

The Twitter data breach shows – yet again – that even the smallest flaws in software applications can have an impact on millions of users. While Twitter has turned around and fixed this flaw relatively quickly, there are some sad news too: it’s very possible that the attacker could have already sold data for other nefarious parties to use and exploit before Twitter had found out about the existence of the zero-day. However, if you’re concerned that your company might be a target of such a data breach in the future, worry not – with BreachDirectory’s powerful search engine and API capabilities combined, you and your employees will be as safe as never before – implement the BreachDirectory API into your infrastructure and make the web a safer place for both yourself and your employees, read up on news surrounding some more popular data breaches, if you’re interested, keep in touch with us as we finish up on a new feature that allows to further secure our Enterprise customers by letting you access all of the data existing in BreachDirectory locally, and we’ll see you in the next blog!