Twitter has suffered a data breach after threat actors used a flaw to build a database of phone numbers and email addresses belonging to 5.4 million accounts,
with the data now being offered for sale on a hacker forum for $30,000.
Yesterday, the threat representative said that the database contains information about various accounts, including celebrities, companies and random users.
“Hello, today I present to you data collected on multiple users using Twitter via a vulnerability. (5485636 users to be exact),”
the forums post selling Twitter data.
In a conversation with a threat representative,
BleepingComputer was told that they used a vulnerability to collect data in December 2021.
They are now selling the data for $30,000, and interested buyers have already contacted them.
As first reported by Privacy Restore, the vulnerability used to collect data is the same that was disclosed to Twitter by HackerOne on January 1st and was fixed on January 13th.
“The vulnerability allows a party without any authentication to obtain the Twitter ID (roughly equivalent to obtaining an account username)
of any user by sending a phone number/e-mail even though the user
has blocked this action in their privacy settings,” it reads.
Detection of the vulnerability by security researcher” zhirinovskiy “.
“The error exists due to the authorization process used in the Android client for Twitter, specifically for Twitter account duplication checks.”
However, Devil BleepingComputer told that they do not belong to zhirinovskiy and have never used HackerOne.
