A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums.
In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings.
“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne.
“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities”
Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize.
The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums.
A hacker has published a database of 5.4 million Twitter users.
Database of 5.4 million Twitter users
According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file.
“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy.
“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”
The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.