Twitter confirms data breach that affected millions of accounts

Zero-day exploits are a menace to the tech industry with web browsers —ChromeandFirefox— being particularly vulnerable to these threats. Although Google iskeeping upwith zero-day detections, malicious actors are always seeking out security loopholes in all sorts of services. Twitter was the target of one such attack in December 2021, with the individual responsible claiming to have obtained key information from 5.4 million accounts on the platform. The company has now officially confirmed that the attack happened and that the zero-day exploit that was used to make it happen has been patched.

While Twitter is forthcoming about details of the breach, it doesn’t change the fact that the attacker still has the user account data at their disposal. The attacker toldBleepingComputerlast month about being able to compile profiles of 5,485,636 accounts with information such as location, URL, profile picture, and other data. They used a vulnerability which allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information.

4

Crucially, the data was being offered for roughly $30,000 as per the publication, though it was reportedly sold for a significantly lesser amount to at least two separate people. The attacker also said at the time the data could end up being released for free, putting the privacy of millions of users at risk.

For its part, Twitter said it learned of the bug in January this year through its bug bounty program,HackerOne, adding that the vulnerability crept in after an update to its code in June 2021. While the issue was fixed earlier this year,Twitter saysit didn’t account for the likelihood of the attacker already being in possession of the data. This changed last month after an initial wave of publicity to the attack of which Twitter was able to confirm used the zero-day exploit in question after going through one of the samples that were put up for sale.

Twitter generic hero whats happening

Twitter said it is notifying each affected user, but admitted that it cannot confirm every account that was exposed due to this security loophole. Accounts run by people who may be sought by governments or other terrorism groups may use the breached dataset to track down their targets. Passwords were not part of the data breach, but the company is advising users to turn on two-factor authentication for their accounts — considering that phone numbers are a threat vector, users should go for eitheran authentication appora hardware key, both of which can be set up in the Twitter app’s settings.

The note-taking app I should have used all along

Example of a scraped Twitter profile

Broader branding hints at wider paid-tier ambitions

M3 Expressive now refreshes the chat screen

Browsers

I played the opening mission of The Outer Worlds 2 and really enjoyed what I experienced

Navigate through galaxies of customization with Samsung’s One UI Home

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

$135 is its lowest price in months