Twitter: Someone Exploited a Zero-Day to Access User Data

Twitter has confirmed that someone exploited a zero-day vulnerability to gain access to user data.

company Say(opens in new window) In a blog post about the incident, the vulnerability “allows someone to enter a phone number or email address during the login process to try to understand if the information is associated with an existing Twitter account, and if so, the specific account. .”

Twitter said the vulnerability was introduced in a June 2021 update, disclose(opens in new window) It was released in January by a security researcher and then patched later that month. “At the time,” the company said, “we had no evidence that the vulnerability was exploited.”

Now things have changed.Bilibili computer Report(opens in new window) The vulnerability was exploited to scrape information on 5.4 million Twitter accounts before patching, including phone numbers or email addresses discovered through the vulnerability and publicly available data.

Twitter said it “learned through news reports that someone may have taken advantage of this and offered to sell the information they collected in July.” The company then reviewed some of the data being sold and confirmed it was legitimate.

“We will directly notify account owners who we can confirm are affected by this issue,” Twitter said. “We’re releasing this update because we’re unable to identify every account that may have been affected, and are paying particular attention to those with pseudonymous accounts that may be locked out by the state or other actors.”

If you use a pseudonym, Twitter officials advise “do not add a public phone number or email address to your Twitter account.” However, the advice cannot be applied retrospectively, and Twitter Push users regularly(opens in new window) Connect their phone number to their account.

Twitter did not immediately respond to a request for comment.