Data Recovery Digest

The team at Twitter deals with countless potential threats every single day. One in particular, a zero-day exploit that was uncovered in December 2021 and patched in January 2022, seems to be rearing its ugly head once again. Although Twitter first reported that no sensitive information was at risk due to the exploit, they’ve recently changed their tune.

As of August 2022, Twitter has confirmed that at least some amount of personal information – including user email addresses and phone numbers – may have been compromised. While an official figure hasn’t been released, the hacking group responsible for the exploit claims to have the information of 5.4 million individual users.

Re-Creating User Profiles

This specific zero-day exploit is unique in the fact that it allowed the hackers to easily trace user profiles according to their phone number or email address. Although Twitter allows users to disable this functionality in their account settings, this exploit effectively bypassed any security measures.

Moreover, the hacker could then take this information and scrape the remaining information needed – from public sources – to re-create their Twitter profile; complete with their follower counts, Twitter handle, account name, geographic location, profile picture, and more. The hacking group claims to be able to re-create the profiles of all 5.4 million profiles using this method, and they’ve already provided the necessary proof.

When the leak was originally announced, the hacking group responsible was attempting to sell this data for $30,000, but it’s later been reported that the information sold for less than that. It’s also likely that we could see the hacked information released to the general public for free.

A Late Confirmation

Confirmation finally came in August 2022, when Twitter released a statement that read, in part: ''“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person's email or phone number, they could identify their Twitter account, if one existed.”

They also provided some insight into what initially caused the bug, stating: “This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”''

How to Protect Yourself

While the team at Twitter insists that no passwords were exposed in the exploit, they are still encouraging all users to enable two-factor authentication (2FA) as soon as possible. They also recommend avoiding the use of personal phone numbers and email addresses on user profiles. Not only will this help you stay protected from this particular exploit, but it will help you avoid many problems that could potentially arise in the future.

But users also need to be wary of the third-parties that reportedly purchased their data from the original hacking group. While they can’t do much based on that information alone, they will likely use the data to launch follow-up attacks – including spear-phishing campaigns – to try and gain access to other profiles and accounts.