Social media site Twitter has suffered a data breach of over 5.4 million accounts, that are now for sale on a hacking forum. The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the dataset stolen includes email addresses and phone numbers from “Celebrities, to Companies, randoms, OGs, etc.” ‘OGs’ refers to Twitter handles that are desirable – either short, or a desirable word.
Back in January 1, 2022, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and the email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings.
“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” reads the description in the report submitted by zhirinovskiy.
“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”
Five days after posting the report, Twitter acknowledged this to be a “valid security issue”. After further investigating the issue Twitter fixed the vulnerability, and awarded user zhirinovskiy with a $5,040 bounty.
A threat actor is now selling the data that was acquired from this vulnerability for at least $30,000. It is being offered on Breached Forums, the same forum that posted 23 terabytes of data leaked from 1 billion Chinese Citizens.
Read more about it here.