A Los Angeles-based cyber security expert has warned of a data breach at the social media site Twitter that has allegedly affected “millions” across the US and EU.
Chad Loder, who is the founder of cyber security awareness company Habitu8, took to the social media site on November 23 to warn users of the alleged data breach that Loder claims occurred “no earlier than 2021” and “has not been reported before”.
In a series of tweets, Loder claimed they had seen the data stolen in the alleged breach and spoke to potential victims of the breach, who had confirmed that the breached data was “accurate”.
Loder said that any Twitter account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected, with “all accounts for the entire country code of France” listed, with their full mobile numbers.
The breach also allegedly includes the “full phone number spaces for multiple country codes in the EU” and “some area code[s] in the US”, with the data set including personal information for “verified accounts, celebrities, prominent politicians and government agencies”.
Twitter previously confirmed a data breach that affected millions of user accounts in July of this year, however, Loder stated that this “cannot” be the same breach unless the company “lied” about the July breach. According to Loder, the data from this breach is “not the same data” as that seen in the July breachas it is in a “completely different format” and has “different affected accounts”.
Loder believes that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.
Loder’s Twitter account was suspended at some point in the last 24 hours as, according to Twitter, it “violate[d] the Twitter rules”.
The July 2022 Twitter data breach
According to the devil, the stolen data is included email addresses and phone numbers from “celebrities, companies, randoms, OGs, etc”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a desirable word, like a first name. Devil said they would not accept offers lower than US$30,000 for the data set.
The owner of Breach Forums first verified that the leak was authentic, stating that the data breach took place as the devil was able to exploit a vulnerability on the social media site first flagged in January 2022.
A report on the vulnerability was published to the bug bounty and vulnerability coordination platform HackerOne on January 1, 2022, by a member called Zhirinovsky. In the report, they described the effects of the vulnerability, saying:
“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
This means the vulnerability could, and later did, allow “any attacker with a basic knowledge of scripting/coding [to] enumerate a big chunk of the Twitter user base” and collect user data into a database that links Twitter usernames to their respective email addresses or phone numbers. This could then be sold to malicious parties who could use the data for advertising purposes, or to maliciously target specific Twitter accountsfor example celebrities.
Twitter itself verified the vulnerability on January 6 and subsequently paid Zhirinovsky US$5,040 to patch the issue on January 13, with Zhirinovsky confirming that the issue had been resolved that day.
On August 5, Twitter posted a statement about the breach, confirming that it had happened and that it was due to the vulnerability flagged in January. The company said it would “directly notify the account users.” [it] could confirm were affected by this issue”.
Twitter said the data breach was “unfortunate” and encouraged users to enable two-factor authentication to protect their accounts from unauthorized logins.