It all started in June ‘21 when Twitter launched an update to its code and the change introduced a critical vulnerability. It wasn’t until January ‘22 that the vulnerability was discovered by a bug bounty hunter and Twitter claimed that it had addressed the issue immediately. New evidence surfaced in July ‘22 that established that the vulnerability had been leveraged before Twitter could fix it and reportedly personal information of 5.4 million Twitter users was put on sale for $30,000. The information was bought at a price lower than the original ask price and they might be made available for free.
What is this vulnerability and how did it translate into such a massive breach? According to the owner of the hacking forum, Breached, the vulnerability was in the API. It allowed a bad actor to enter a phone number or email Id into Twitter’s systems and access the profile associated with the said email ID or phone number. This, in turn, allowed the hackers to create complete profiles of 5.4 million Twitter users including phone numbers, email addresses, login IDs, and public information scraped from the internet.
Breached learned about the API vulnerability from another hacker, Devil, and used another API vulnerability to unravel 1.4 million suspended Twitter accounts.
You can see a redacted example of the user profile created in this hack sampled by security expert Chad Loder.
Why is this dangerous? Well, as Twitter agreed, this hack is especially devastating for pseudonymous Twitter accounts. Their anonymity is attacked by this exposition and their personal information may be used against them by the state or other bad actors. The personal information so readily available with email addresses and phone numbers make the exposed users easy targets for phishing and social engineering attacks. Since the login ID is available, hackers are just one brute-force attack away from getting into a Twitter account.
Twitter has not had the best year. While the number of monetized Twitter has increased in the Q2 of 2022 to reach 238 million, a report says, it has been losing a lot of heavy tweeters. Twitter is losing credibility, ad revenue, and employees fast. The hack is adding terrible insult to injury.