Information from 5.4M Twitter customers obtained from a number of menace actors and mixed with information from different breachesSecurity Affairs | Whole Tech

Twitter’s huge information breach that uncovered buyer emails and cellphone numbers could have impacted greater than 5 million customers.

In late July, a menace actor leaked information from 5.4 million Twitter accounts that was obtained by exploiting a now-patched vulnerability within the widespread social media platform.

The menace actor supplied the stolen information on the market on the favored hacker discussion board Breached Boards. In January, a report revealed in Hacker claimed the invention of a vulnerability that may be exploited by an attacker to discover a Twitter account by the related cellphone quantity/electronic mail, even when the person has opted out of it within the privateness choices. .

“The vulnerability permits any celebration with none authentication to acquire a twitter id(which is nearly the identical as getting the username of an account) from no person submitting a cellphone quantity/electronic mail despite the fact that the person has Prohibited this motion within the privateness settings.. The bug exists because of the authorization course of used within the Android Twitter Shopper, particularly within the means of verifying the duplication of a Twitter account. ” reads the outline within the report despatched by zhirinovskiy by the HackerOne bug bounty platform. “This can be a severe menace, as not solely can folks discover customers who’ve restricted the flexibility to be discovered by electronic mail/cellphone quantity, however any attacker with fundamental scripting/coding data can record a big a part of Twitter person base unavailable. to the earlier enumeration (create a database with cellphone/electronic mail connections to username). Such databases will be bought to malicious events for promoting functions or with a view to establish celebrities in several malicious actions.”

The vendor claimed that the database contained information (ie emails, cellphone numbers) of customers starting from celebrities to companies. The vendor additionally shared an information pattern within the type of a csv file.

In August, Twitter confirmed that the info breach was attributable to the now-patched zero-day flaw submitted by the zhirinovskiy researchers through bug bounty platform HackerOne and that it acquired a $5,040 bounty.

“We need to inform you a few vulnerability that allowed somebody to enter a cellphone quantity or electronic mail deal with within the login stream in an try and be taught if that info was linked to an present Twitter account, and in that case, which particular account. .” read the Twitter notice. “In January 2022, we acquired a report by our bug bounty program of a vulnerability that allowed somebody to establish the e-mail or cellphone quantity related to an account or, in the event that they knew the e-mail or cellphone variety of an individual, they may establish their Twitter account, if it existed”, continues the social networking agency.

“This bug was the results of an replace to our code in June 2021. After we realized of this, we instantly investigated and glued it. At the moment, we had no proof to counsel that somebody had taken benefit of the vulnerability.”

This week, the web site 9to5mac.com claimed that the info breach was greater than what the corporate initially reported. The web site experiences that a number of menace actors exploited the identical flaw and that the info out there within the cybercrime underground has totally different sources.

“An enormous Twitter information breach final 12 months, which uncovered greater than 5 million cellphone numbers and electronic mail addresses, was worse than initially reported. We’ve got been proven proof that the identical safety vulnerability was exploited by a number of dangerous actors, and the hacked information has been supplied on the market on the darkish net by varied sources.” learn the put up revealed by 9to5mac.com

9to5MacThe claims are primarily based on the provision of the info set that contained the identical info in a unique format supplied by a unique menace actor. The supply advised the web site that the database was “simply one among a number of information they’ve seen.” It appears that evidently the affected accounts are solely people who have the “Visibility | phone option (which is difficult to seek out in Twitter settings)” enabled in late 2021.

The file seen by 9to5Mac contains information pertaining to Twitter customers within the UK, nearly all EU international locations and elements of the US.

“I received a number of information, one by cellphone quantity nation code, which accommodates the cellphone quantity <-> Twitter account title matching for the countrywide cellphone quantity house of +XX 0000 to +XX 9999.” The supply advised 9to5Mac. “Any Twitter account that had the discoverability | The cellphone choice enabled on the finish of 2021 was included within the dataset.”

Specialists speculate that a number of menace actors gained entry to Twitter’s database and mixed it with information from different safety breaches.

The safety researcher behind the account. @chadloder (Twitter after the information broke) advised 9to5Mac that “the e-mail and Twitter pairings have been derived by operating massive present databases of over 100 million electronic mail addresses by this electronic mail discovery vulnerability.” Twitter.”

The researcher advised the web site that they’d contact Twitter for remark, however your entire media relations group left the corporate.

TO UPDATE:

Replace: after discussing with my colleague @sonoclaudio, we observed that the put up on the favored breach discussion board experiences that 1.4 accounts have been suspended. Now the query is, why months after the accounts have been suspended, the info was nonetheless current within the database? What’s the retention interval for Twitter? Does Twitter violate the GDPR for European customers?

Observe me on twitter: @safetyissues Y Fb Y Mastodon

Pierluigi Paganini

(Safety Points – hacking, Twitter)

---

share on