Twitter users with anonymous accounts may want to take precautions if the outing of their associated profile information could cause problems for them, according to new information released by the social media giant. A security breach that exposed some 5.4 million accounts to the attacker included an unknown number of anonymous profiles, potentially putting activists and political dissidents at risk. The incident was caused by a zero-day involving a flaw in the Twitter API.
2021 Twitter security breach caused by zero-day, not known to public until last month
Twitter says that the security breach occurred in December 2021, but was not public knowledge until July 21 of this year when the attacker emerged on an underground forum offering a collection of scraped profile information containing non-public elements (such as account email addresses and phone numbers) for $30,000. Twitter says that the issue was traced back to a zero-day flaw in its API that allowed unauthorized access to private profile information, and that it had been fixed in January 2022 but that there had been no signs of abuse at the time it was patched out.
The exact number of anonymous accounts impacted by this is unknown; Twitter says it is “impossible to estimate.” It is also unknown who, if anyone, purchased the data offered on the dark web. It has not been made freely available to the public, but this tends to happen with scraped profile information some time after the sales possibilities for it are exhausted.
As all of that shapes up, journalists and activists around the world are left wondering if the security breach has exposed an email or phone number tied to their anonymous accounts that could identify them. This information would be of obvious interest to repressive governments, who were probably the primary intended customer of the hacker. The only clues about the composition of the stolen data were left by the attacker, who indicated in their sales post that it came from around the world and included celebrities as well as regular people.
Twitter has had a number of major security breach incidents in recent years, the biggest being a 2020 attack that saw high-profile celebrity accounts temporarily taken over and used for a crypto scam. The platform has had prior issues with scraping of hidden information and logging of passwords in plaintext.
Twitter unable to estimate number of anonymous accounts impacted
Twitter’s timeline of the security breach has the flaw being exploited as a previously unknown zero-day in December 2021, but apparently unbeknownst to the company. The issue was reported in January 2022 and patched right away, but Twitter appears to have not been aware of the prior exploitation until the stolen data emerged for sale in mid-July.
Twitter profiles generally do not contain a great deal of hidden sensitive information, but the emails and phone numbers used to set them up (and for security verification) are generally not made available to people viewing the account. An attacker should not have been able to obtain this information by scraping the Twitter API without proper authentication. The technique appears to have involved arbitrarily feeding the Twitter API one of these items (either a phone number or email address), and if it matched an account the attacker could view everything in the profile. The attacker likely fed known email accounts and phone numbers into the system via a script to come up with hidden information for over five million accounts.
Anonymous accounts that are impacted by this zero-day security breach should receive direct notification from Twitter if they have not already.