Twitter has suffered a data breach after threat actors used a flaw to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now being offered for sale on a hacker forum for $30,000.
Yesterday, a representative of the threat known as ‘The Devil’ said in a stolen data market that the database contains information about various accounts, including celebrities, companies and random users.
“Hello, today I present to you data collected on multiple users using Twitter via a vulnerability. (5485636 users to be exact),” reads the forums post selling Twitter data.
“These users range from celebrities to corporations, random people, OGs, and so on.”
In a conversation with a threat representative, BleepingComputer was told that they used a data-gathering vulnerability in December 2021. They are now selling the data for $30,000, and have already been contacted by interested buyers.
As I mentioned for the first time before PRIVACY RECOVERYthe vulnerability used in data collection is the same Disclosed to Twitter by HackerOne On the 1st of January and the fixed on the 13th of January.
The vulnerability allows any party without any authentication to obtain a file Twitter ID (which is roughly equivalent to getting an account username) from Which User by sending a phone number/e-mail even though the user has Block this action in privacy settings“reads the detection of the vulnerability by security researcher” zhirinovskiy “.
“The error exists due to the authorization process used in the Android client for Twitter, specifically for Twitter account duplication checks.”
However, Devil BleepingComputer told that they do not belong to zhirinovskiy and have never used HackerOne.
“I don’t want the white hat in the trouble that I reported on H1. I think a lot of people are trying to associate it with me, I’d be pissed off if I were. So I can’t stress this enough I don’t have anything to do with it,” the threat representative told BleepingComputer.
The hacker told us that you can feed the vulnerability email addresses and phone numbers to determine if they are associated with a Twitter account and retrieve that account’s ID.
Armed with that Twitter ID, they likely scraped the rest of the public data to create a user’s user profile.
This vulnerability is similar to the way threat actors scraped a file Facebook account data for 533 million users in 2021.
The leaked data has been verified
Twitter has not confirmed the data breach at this time, telling BleepingComputer that they are investigating the validity of the claims.
“We received a report on this incident several months ago through our bug bounty program, and the vulnerability was promptly investigated and fixed. As always, we are committed to protecting the privacy and security of people who use Twitter. We are grateful to the security community that participates in the program Our bug bounty to help us identify potential vulnerabilities like this.
We are reviewing the most recent data to validate the claims and to ensure the security of the accounts involved.”
However, BleepingComputer has verified with some Twitter users included in the small sample of data shared by the hacker that the private information (email addresses and phone numbers) is accurate.
Since we can only verify a small number of users included in the stolen data, it is impossible to determine whether all 5.4 million accounts sold are valid.
Although most of the data sold is publicly available, threat actors can use email addresses and phone numbers for targeted phishing attacks.
Therefore, all Twitter users should be careful when receiving emails from Twitter, especially if they ask you to enter login credentials, which users should only do on Twitter.com.
#Hacker #sells #Twitter #account #data #million #users