"Zero-Day Bug Responsible for Massive Twitter Breach"

Twitter recently revealed that a zero-day vulnerability in Twitter's code base was responsible for a major data breach that is thought to have affected 5.4 million users.  Twitter stated the threat actor who exploited the vulnerability is hoping to sell users' profile data for $30,000 on a cybercrime site.  Some information was scraped from public Twitter profiles, including location and image URL.  Twitter noted that by leveraging the vulnerability, the threat actor was also able to link account emails and phone numbers with account IDs.  Twitter stated that as a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with if any.  Twitter noted that the bug resulted from an update to their code in June 2021.  When they learned about the vulnerability, they investigated it and fixed it.  Twitter recommends those who use Twitter pseudonymously not to add a publicly known phone number or email address to their account.  They also suggested users switch on two-factor authentication for extra login security, using either a dedicated app or hardware security keys.  Twitter noted that no passwords were stolen during the attack.

Infosecurity reports: "Zero-Day Bug Responsible for Massive Twitter Breach"