A threat actor used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million Twitter accounts. The data from the breach is now up for sale on a hacker forum for $30,000.
A threat actor known as ‘devil’ said on a stolen data market that the database contains information about various accounts, including celebrities.
The threat actor’s post reads, “hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact).”
“These users range from Celebrities, to Companies, randoms, OGs, etc.”
The threat actor used a vulnerability to collect the data in December 2021. According to Bleeping Computer, interested buyers have already approached them.
This vulnerability is the same one disclosed to Twitter through HackerOne on 1st January and fixed on 13th January.
“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings,” reads the vulnerability disclosure by security researcher ‘zhirinovskiy.'”
“The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.”
Devil told Bleeping Computer that they are not affiliated with Zhirinovskiy or HackerOne.
“I don’t want to white hat in trouble who reported it on H1. I guess a lot of people are trying to connect him to me, I would be pissed if I was him. So I cant stress this enough I have nothing to do w him nor H1.”
Twitter has not confirmed the data breach yet, but they are investigating the claims.