Zero-Day Twitter Hack Confirmed, Impact Could Exceed 20 Million Users


At least 5 million Twitter users impacted by zero-day hack, total could yet exceed 20 million.

On 5 August 2022, Twitter confirmed that a threat actor used a zero-day vulnerability to compile a database of user information. That vulnerability was fixed, Twitter said, in January 2022. However, Bleeping Computer has reported that the database, which includes non-public information of more than 5 million users, has now been shared for free within a breached data marketplace forum. The publication also reports that another database, potentially containing 17 million records, was created using the same vulnerability. Here’s what we know so far.

Database of 5,485,635 Twitter users shared by cybercriminals online

The Bleeping Computer report confirms that the database of 5,485,635 Twitter user records, initially offered for sale at $30,000 in July, has been shared on 24 November, for free, on the Breach Forums site. Most of the data, it would appear, is publicly known, such as Twitter usernames, login names, and verification status. However, the report also states that private information, such as telephone numbers and email addresses, is also included.

MORE FROM FORBESTwitter Users Warned Not To Delete Their Accounts-Here’s Why

The information appears to have been gathered using an Application Programming Interface (API) vulnerability, as first disclosed by a hacker on the HackerOne bug bounty platform (who received a $5,000 payment from Twitter), enabling the data to be scraped. “APIs allow computers to communicate with one another, and account for around 80% of all the traffic that traverses the Internet. In short, APIs are very important and should be treated as such,” Ed Williams, director of SpiderLabs (EMEA) at Trustwave, says. “Yet, we still see common security-related issues around APIs, most notably authentication (or lack of) based issues, a lack of resource and rate limiting, and generic API security misconfigurations like TLS, error handling, and logging. We know from recent data breaches that a combination of these can yield significant amounts of personal data.”

Twitter…

Source…