Social networking platform Twitter was the target of a zero-day vulnerability attack in December 2021, and the attacker claimed to have obtained the account information of 5.4 million users on the platform. After the big data breach, the first statement came from Twitter.
Account information of 5.4 million Twitter users stolen
The vulnerability has been closed
Twitter officially confirmed that the attack took place and stated that the zero-day vulnerability, which is the method used for the attack, has been patched.
Zero-day vulnerability attack
According to BleepingComputer, the perpetrator compiles the profiles of 5.4 million accounts, along with location, URL, profile picture, and other data. Hackers discovered a vulnerability that allowed them to find and retrieve account information from any active Twitter account by querying their phone number or email. More importantly, the data was rumored to have sold for $30,000, but was reportedly sold to at least two separate individuals for much less.
Twitter became aware of the vulnerability in January of this year, thanks to its bug bounty program HackerOne. According to the company’s statement, the vulnerability emerged after an update to the codes; The deficit was closed earlier this year. However, the social media platform did not take into account that the hacker already holds user data.
Security notice to users
Twitter said it notified users affected by the data breach, but stated that they could not approve every account exposed due to this vulnerability. Fortunately, the passwords were not leaked, but the company advises users to turn on two-factor authentication. Since phone numbers are exposed, it can be said that using authentication applications is much safer.