A Twitter vulnerability discovered in January 2022 allowed a threat actor to access a database of phone numbers and email addresses of 5.4 million Twitter account users, as first reported by RestorePrivacy.
While the Twitter vulnerability was patched, the attacker known as “devil” is now selling the database allegedly obtained from this exploit on Breached Forums, a popular hacking forum, for $30,000. The database contains information about various accounts, including celebrities, companies, and random users.
“Hi, today I present to you data collected about multiple users using Twitter through a vulnerability. (5485636 users to be exact),” reads the forum post selling the Twitter data. “These users range from celebrities to companies, randoms, OGs, etc.”
Back in January 2022, HackerOne user “zhirinovskiyreported a Twitter vulnerability that allowed an attacker to find a Twitter account at their phone number/email address, even if the user has prohibited it in the privacy options.
The vulnerability arose during the Twitter authorization process used in Twitter’s Android client, specifically while investigating the duplication of a Twitter account.
The bug report stated: “This is a serious threat because not only can people find users who have restricted their ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can do a lot of things. the Twitter user base not available [sic] to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or to target celebrities in various malicious activities.”
Twitter acknowledged on January 6, 2022 that it was a “valid security issue” and promised to investigate. It solved the problem on January 13, 2022 and was even rewarded HackerOne user “zhirinovskiy” with a $5,040 bounty for discovering the bug.
The owner of Breach Forums has verified the authenticity of the leak and also noted that it was obtained through the vulnerability of the HackerOne report above.
Restore privacy verified the sample database with some of the listed Twitter users and found that the email addresses and phone numbers are correct and associated with actual users.
While Twitter has not confirmed the recent data breach, a Twitter spokesperson said the company is “assessing the latest data to verify the authenticity of the claims and ensure the security of the affected accounts.”
“We received a report of this incident several months ago through our bug bounty program, and immediately investigated and fixed the vulnerability. As always, we are committed to protecting the privacy and security of the people who use Twitter,” said the Twitter spokesperson.
“We are grateful to the security community that participates in our bug bounty program to help us identify potential vulnerabilities like this. We review the most recent data to verify the authenticity of the claims and ensure the security of the affected accounts.”