The compromised profiles, which were earlier put on sale in a cybercrime forum, were breached after a now-patched bug allowed anyone to enter a phone number or an email address of a user and learn if that information was connected to an existing Twitter account and, if so, which specific account.
ISMG could not independently verify the number of user accounts affected so far. But a report in July claims to speak to the threat actor who created a list of 5.4 million Twitter account profiles using this vulnerability and offered it for sale of the compromised data for $30,000.
“While there’s no action for you to take specific to this issue, we want to share more about what happened, the steps we’ve taken, and some best practices for keeping your account secure,” Twitter disclosed in a Friday statement.
The company also says that no passwords were exposed, and recommended Twitter users enable two-factor authentication using authentication apps or hardware security keys to protect their accounts from unauthorized logins.
A spokesperson for Twitter was not immediately available to comment.
Twitter says it was notified about this specific vulnerability in Twitter’s systems through their HackerOne bug bounty program in January.
Twitter also awarded a security researcher a $5,040 bounty for his findings.
The company says that the bug resulted from an update to their code in June 2021 and in 2022 it learned through a press report that some bad actors leveraged this and were offering to sell the information they had compiled.
The company says that as soon as it learned about this vulnerability, it investigated and fixed it.
Twitter says it reviewed a sample of the available data for sale on the cybercrime forum and confirmed that the bad actor took advantage of the issue before it was addressed.
Twitter also says that it will be directly contacting affected account owners.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” according to the statement.
This vulnerability comes after the social media giant was recently slapped with a $150 million penalty for deceptively using the account security data of millions of users for targeted advertising.
The U.S. Justice Department and the Federal Trade Commission said that the company knew or should have known that its conduct violated the 2011 FTC Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users.
Apps Leaking Twitter API keys
Last week, Indian cybersecurity firm CloudSEK in a report said that it uncovered 3207 apps that were leaking valid Twitter API keys.
These Consumer Key and Consumer Secret for the Twitter API can be used to gain access to or to take over Twitter accounts, the firm says.
Nick Rago, field CTO at Salt Security, says that it is a common practice for attackers to target API and look for mobile applications that utilize the API and reverse engineer the mobile app binary to see if the developer has left behind any “goodies” to help gain access to the API.
“Investing in developer security education is key to help address long term, but adequate run-time protection and behavioral monitoring of the API’s is imperative to detect these types of breaches immediately,” says Rago, who is also an API management and security expert.
Rago says it is important to note that this is just another example of a breach or vulnerability that would evade the traditional signature-based security defenses that most organizations have in front of their APIs today.