Twitter was accused of covering up illegal data breach that affects millions
A cyber security expert that is based on Los Angeles has warned of a data breach at social media site Twitter that has allegedly affected “millions” across the US and EU.Chad Loder, who is the founder of cyber security awareness company Habitu8, took to the social media site on November 23 to warn users about the same. Loder claims that the breach had occurred “no earlier than 2021” and “has not been reported before”.
Loder claimed in a series of tweets,that they had seen the data stolen in the alleged breach and spoken to potential victims of the breach. Interestingly, the victims had confirmed that the breached data was “accurate”Loder said that any Twitter account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected, with “all accounts for the entire country code of France” listed, with their full mobile numbers.
The breach also includes the “full phone number spaces for multiple country codes in the EU” and “some area code[s] in the US”, with the data set including personal information for “verified accounts, celebrities, prominent politicians and government agencies”.
Back in July, Twitter confirmed a data breach that affected millions of user accounts . Loder stated that this “cannot” be the same breach unless the company “lied” about the July breach.
According to Loder, the data from this breach is “not the same data” as that seen in the July breach, because it is in a “completely different format” and has “different affected accounts”.
Loder believes that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.
According to devil, i.e, the hacker who claimed in a post in hacking forum Breach Forum, the data stolen included email addresses and phone numbers from “celebrities, companies, randoms, OGs, etc”.
The owner of Breach Forums first verified that the leak was authentic, stating that the data breach took place as devil was able to exploit a vulnerability on the social media site first flagged in January 2022.
A member called zhirinovsky published a report on the vulnerability to bug bounty and vulnerability coordination platform HackerOne on January 1, 2022. They described the effects of the vulnerability, saying:“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.
The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”This means the vulnerability could, and later did, allow “any attacker with a basic knowledge of scripting/coding [to] enumerate a big chunk of the Twitter user base” and collect user data into a database that linked Twitter usernames to their respective email addresses or phone numbers.
This could then be sold to malicious parties who could use the data for advertising purposes, or to maliciously target specific Twitter accounts, for example celebrities.Twitter itself verified the vulnerability on January 6 and subsequently paid zhirinovsky US$5,040 to patch the issue on January 13, with zhirinovsky confirming that the issue had been resolved that day.
On August 5, Twitter posted a statement about the breach, confirming that it had happened and that it was due to the vulnerability flagged in January. The company said it would “directly notify the account users it could confirm were affected by this issue”.
Twitter said the data breach was “unfortunate” and encouraged users to enable two-factor authentication to protect their accounts from unauthorised logins to get the malicious activity of data leaking in control and end it once and for all.