- What is AI networking? How it automates your infrastructure (but faces challenges)
- I traveled with a solar panel that's lighter than a MacBook, and it's my new backpack essential (and now get 23% off for Black Friday)
- Windows 11 24H2 hit by a brand new bug, but there's a workaround
- This Samsung OLED spoiled every other TV for me, and it's $1,400 off for Black Friday
- How to Protect Your Social Media Passwords with Multi-factor Verification | McAfee Blog
Zero-Day Bug Responsible for Massive Twitter Breach
A zero-day vulnerability in Twitter’s code base was responsible for a major data breach that is thought to have affected 5.4 million users, the social media firm has revealed.
The threat actor was hoping to sell the profile data for $30,000 on a cybercrime site. Some information was scraped from public Twitter profiles, including location and image URL. However, they were crucially able to link account emails and phone numbers with account IDs by leveraging the vulnerability.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” Twitter explained.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
However, the firm realized last month that a malicious actor had indeed been able to take advantage of the bug before it managed to patch it.
“We will be directly notifying the account owners we can confirm were affected by this issue,” it said.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
The firm is recommending those who use Twitter pseudonymously not to add a publicly known phone number or email address to their account.
It also suggested users switch on two-factor authentication for extra login security, using either a dedicated app or hardware security keys. However, no passwords were stolen in the attack.