According to Twitter, a zero-day vulnerability that lies within its code base was behind a major data breach that affected millions of users. The social media firm has announced that the zero-day vulnerability was identified in January 2022 through the company’s bug bounty program. After the data breach, which affected 5.4 million users, the threat actor attempted to sell the profile data for $30,000 on a cybercrime site. Information that was included in the file was scraped from public Twitter profiles, including location, and image URL and therefore was not too damaging to personal security. However, in some cases, email addresses and phone numbers were linked with account IDs.
Twitter stated that the vulnerability meant that if someone submitted an email address or phone number to Twitter’s systems, the platform would tell the person which Twitter account the email address or phone number was associated with. By using the vulnerability threat actors could identify some accounts at a limited scale. Twitter was able to patch the vulnerability last month.
Read More: Zero-Day Bug Responsible for Massive Twitter Breach