Account data of 5.4 million users on sale for $30k.
Twitter has suffered a data breach in which the threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts. The data has now been put up for sale on a hacker forum for $30,000.
The threat actor known as ‘devil’ said on a stolen data market that the database contains info about various accounts, including celebrities, companies, and random users.
The threat actor used a vulnerability to collect the data in December 2021. The vulnerability used to collect the data is the same one disclosed to Twitter through HackerOne on January 1st and fixed on January 13th.
The vulnerability disclosure by security researcher ‘zhirinovskiy’ reads that the vulnerability allows any party without any authentication to obtain a twitter ID of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.
The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.
However, Devil claimed that they are not affiliated with zhirinovskiy and have never used HackerOne.
This vulnerability is similar to how threat actors scraped the Facebook account data of 533 million users in 2021.
Twitter has not confirmed the data breach at this time, and they are investigating the authenticity of the claims.
Even though most of the data being sold is publicly available, threat actors can use the email addresses and phone numbers in targeted phishing attacks.
So it is recommended that all Twitter users should stay vigilant when receiving emails from Twitter, especially if they ask you to enter login credentials, which should only be done on Twitter.com.
