Micro-blogging site Twitter has confirmed a zero-day attack that took place in December 2021, where the attacker claimed to have obtained information from 5.4 million users on the platform. The attack, which was reported on last month, has now been confirmed and the company has said that the exploit that was used to make it happen has been fixed.
Now, while Twitter has confirmed the attack, it still leaves data of 5.4 million Twitter users exposed and in the hands of a malicious attacker. The attacker said last month that he has data of about 5,485,636 accounts with information like location, URL, profile picture, and other data. The attackers allegedly used a vulnerability that allowed anyone to query a phone number of email to check an active Twitter account and obtain their information.
https://www.youtube.com/watch?v=undefined
According to the Bleeping Computer, who first reported on the attack, the data was last being sold for $30,000, but the attacker had also said that the data could end up being released for free, putting millions of users at risk publicly. Twitter said it learned about the bug in January this year through its bug bounty program. While the issue was fixed earlier this year, Twitter said that it didn’t account for the likelihood of the attacker already being in possession of the data.
According to an Android Police report, Twitter has said that it is notifying each user, but the company has admitted that it cannot confirm every account that was exposed due to this issue. While passwords were not a part of the compromised data, Twitter is advising users to turn on two-factor authentication for their accounts. Given that the phone number is the key threat vector, users are advised to go for either an authentication app or a hardware key, both of which can be set up with Twitter’s mobile app.
Read the Latest News and Breaking News here