Security News

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. "As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in an advisory.

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users' accounts, allowing a threat actor to compile a list of 5.4 million user account profiles. Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.

Want to build your own army? Engineers at CloudSEK have published a report on how to do just that in terms of bots and Twitter, thanks to API keys leaking from applications. Researchers at the company say they've uncovered 3,207 apps leaking Twitter API keys, which can be used to gain access to or even entirely take over Twitter accounts.

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. "Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said.

Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app. The discovery belongs to cybersecurity firm CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.

Twitter is investigating claims that a near-seven-month-old vulnerability in its software has been exploited to obtain the phone numbers and email addresses of a reported 5.4 million users. "We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question," a Twitter spokesperson wrote in an email to The Register.

Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000. "Hello, today I present you data collected on multiple users who use Twitter via a vulnerability.," reads the forums post selling the Twitter data.

While the Twitter API status page shows no issues for today, almost 55,000 users have reported over the past 30 minutes that that the service is not working. At the time of writing, the browser version of the Twitter app is showing the typical "Something went wrong, but don't fret - it's not your fault" errors.

British Army's Twitter and YouTube accounts were hacked and altered to promote online crypto scams sometime yesterday. Notably, the army's verified Twitter account began displaying fake NFTs and bogus crypto giveaway schemes.

The YouTube takeover replaced the legit account with regalia that faked that used by an investment management firm and filled with more crypto boosterism, namely a video that cut an old chat between Elon Musk and Twitter founder Jack Dorsey into a new and misleading narrative. We are aware of a breach of the Army's Twitter and YouTube accounts and an investigation is underway.