A July security breach at Twitter that resulted in the hidden profile information of anonymous accounts being exposed was confirmed to be the result of a zero-day exploit, according to Twitter’s HackerOne bug bounty program.
Public knowledge of the security breach first came to light on July 21 when a threat actor appeared on an underground forum offering the profile information of anonymous accounts for $30,000. Twitter says that the zero-day the attacker exploited was reported to them by another party in January 2022 and immediately fixed without public notice, but indicated that the window in which the opening was available stretched back to an update implemented in June 2021.
Twitter zero-day that exposed anonymous accounts was exploited in 2021
Twitter believes that the zero-day was exploited in December 2021, just before being reported the following month and patched out. The company said that at the time the zero-day was removed, they saw “no evidence” that it had been exploited.
The security breach did not expose passwords or any sensitive financial information, but it may have outed some anonymous accounts by exposing the private phone numbers and email addresses used to set them up and as ongoing contact information. Using one of these pieces of information, the attacker could query the Twitter API and have it return any accounts that were set up with it. The attacker appears to have used publicly known email addresses (and phone numbers) to scrape the API for links to anonymous accounts, coming up with over 5.4 million in total.
The attacker did not sell the data at their initial asking price of $30,000, but apparently did negotiate sales to two other parties at a lower price. Twitter says that it is sending out notifications on the platform to users that may be impacted.
Security breach could prompt spearphishing attacks, threaten vulnerable activists and journalists
It is unknown at this time who purchased the Twitter data, but relatively low-value profile information of this nature generally makes its way to the dark web in the form of a free data dump after some months have passed and sales possibilities have been exhausted.
The primary concern with this security breach is that authoritarian governments might tie names to the anonymous accounts of activists, political opposition and journalists they are targeting. Spearphishing attempts on both Twitter and via the linked email are also likely if the data goes into broader circulation.
The attacker did not appear to have particular targets. The listing on the hacker forum advertised it as having the data of “celebrities and randoms,” and Twitter said that the impacted user base was “global.” The threat actor likely fed credentials to the API in an automated process, possibly using email addresses and phone numbers leaked in prior security breaches. Twitter has about 300 million users worldwide, and some studies in recent years have estimated around 25% of those accounts are at least “pseudonymous” or partially anonymous. Twitter said it cannot estimate exactly how many anonymous accounts were actually impacted.
Twitter grappling with security breaches since 2018
Twitter appeared to be improving its security prior to the zero-day exposure of the anonymous accounts, with no major incidents through 2021 after a long string of problems that began in 2018 and culminated in the takeover of high-profile accounts in 2020. That attack could have been much worse, with Twitter fortunate in that it was conducted by a group of teenagers who had a specific focus on taking over valuable accounts for sale and running Bitcoin scams. The 2020 security breach was a social engineering attack that gave the hackers a level of administrative access allowing them to take over and post from any account on the platform; this was used to make it look like Bill Gates and Barack Obama (among others) had suddenly become crypto scammers.
Similar internal oversights that took place in the past bear some resemblance to the present zero-day incident. In late 2018, a flaw was discovered that allowed an attacker to look up the country code associated with any Twitter account without any form of authentication. It later came out that this bug had been reported to Twitter in 2016, but the company took no action as it deemed the issue to not be a “significant” risk to users. Earlier in 2018, the entirety of Twitter’s user base was prompted to change their passwords after an internal log was discovered that had been recording all login credentials in plain text.
Twitter offers two-factor authentication as a login option, and has suggested that impacted users implement it even though no credentials were compromised by the zero-day security breach. This does nothing to help anonymous accounts that may have had an identifiable phone number or email address linked to them, however, potentially putting vulnerable parties in danger.