A July security breach at Twitter, which resulted in the exposure of hidden profile information of anonymous accounts, has been confirmed to be the result of a zero-day exploit.
The individual responsible claims to have obtained key information from 5.4 million accounts on the platform. Zero-day exploits are a threat to the technology sector, with web browsers – Chrome and Firefox – being particularly vulnerable to these threats.
The vulnerability allowed anyone to submit an email address or phone number, check to see if it was associated with a Twitter account and retrieve the associated account ID. The hacker then used that ID to retrieve public information about the account.
« In July 2022, we learned from a news article that someone had potentially exploited this flaw and was offering to sell the information they had compiled. After reviewing a sample of the data available for sale, we confirmed that an actor had indeed taken advantage of this issue before it was resolved. »
The bug that caused the breach came from a June 2021 update to Twitter’s code and was quickly fixed, Twitter said.
The most recent incident was in May, when Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted to set up two-factor authentication, for targeted ads.
By Mélissa Walehiane