Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000.
Yesterday, a threat actor known as ‘devil’ said on a stolen data market that the database contains info about various accounts, including celebrities, companies, and random users.
“Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact),” reads the forums post selling the Twitter data.
“These users range from Celebrities, to Companies, randoms, OGs, etc.”
Forum post selling the scraped Twitter data
In a conversation with the threat actor, BleepingComputer was told that they used a vulnerability to collect the data in December 2021. They are now selling the data for $30,000, and that interested buyers have already approached them.
As first reported by Restore Privacy, the vulnerability used to collect the data is the same one disclosed to Twitter through HackerOne on January 1st and fixed on January 13th.
“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings,” reads the vulnerability disclosure by security researcher ‘zhirinovskiy.’
“The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.”
However, Devil told BleepingComputer that they are not affiliated with zhirinovskiy and have never used HackerOne.
“I don’t want to white hat in trouble who reported it on H1. I guess a lot of people are trying to connect him to me, I would be pissed if I was him. So I cant stress this enough I have nothing to do w him nor H1,” the threat actor told BleepingComputer.
The hacker told us that you could feed email addresses and phone numbers to the vulnerability to determine if it is associated with a Twitter account and retrieve that account’s ID.
Armed with this Twitter ID, they likely scraped the rest of the public data to create a user profile for the user.
This vulnerability is similar to how threat actors scraped the Facebook account data of 533 million users in 2021.
Leaked data verified
Twitter has not confirmed the data breach at this time, telling BleepingComputer that they are investigating the authenticity of the claims.
“We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter. We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this.
We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
However, BleepingComputer verified with some of the Twitter users listed in a small sample of data shared by the hacker that the private information (email addresses and phone numbers) is accurate.
Since we could only verify a small number of users listed in the scraped data, it is impossible to say if all 5.4 million accounts being sold are valid.
Even though most of the data being sold is publicly available, threat actors can use the email addresses and phone numbers in targeted phishing attacks.
Therefore, all Twitter users should be vigilant when receiving emails from Twitter, especially if they ask you to enter login credentials, which users should only be done on Twitter.com.