Twitter confirms July data breach that affected millions of accounts
Zero-day exploits are a menace to the tech industry with web browsers — Chrome and Firefox — being particularly vulnerable to these threats. Although Google is keeping up with zero-day detections, malicious actors are always seeking out security loopholes in all sorts of services. Twitter was the target of one such attack in December 2021, with the individual responsible claiming to have obtained key information from 5.4 million accounts on the platform. The company has now officially confirmed that the attack happened and that the zero-day exploit that was used to make it happen has been patched.
While Twitter is forthcoming about details of the breach, it doesn't change the fact that the attacker still has the user account data at their disposal. The attacker told BleepingComputer last month about being able to compile profiles of 5,485,636 accounts with information such as location, URL, profile picture, and other data. They used a vulnerability which allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information.
Crucially, the data was being offered for roughly USD30,000 as per the publication, though it was reportedly sold for a significantly lesser amount to at least two separate people. The attacker also said at the time the data could end up being released for free, putting the privacy of millions of users at risk.
For its part, Twitter said it learned of the bug in January this year through its bug bounty program, HackerOne, adding that the vulnerability crept in after an update to its code in June 2021. While the issue was fixed earlier this year, Twitter says it didn't account for the likelihood of the attacker already being in possession of the data. This changed last month after an initial wave of publicity to the attack of which Twitter was able to confirm used the zero-day exploit in question after going through one of the samples that were put up for sale.
Twitter said it is notifying each affected user, but admitted that it cannot confirm every account that was exposed due to this security loophole. Accounts run by people who may be sought by governments or other terrorism groups may use the breached dataset to track down their targets. Passwords were not part of the data breach, but the company is advising users to turn on two-factor authentication for their accounts — considering that phone numbers are a threat vector, users should go for either an authentication app or a hardware key, both of which can be set up in the Twitter app's settings.
( Details and picture courtesy from Source, the content is auto-generated from RSS feed.)
Join our official telegram channel for free latest updates and follow us on Google News here.
