A Twitter data breach allowed hackers to gain access to the contact details of 5.4 million accounts. The data which includes Twitter handles, phone numbers, and addresses has been put up for sale on a hacking forum, for $30.000.
Restore Privacy reports that the breach was made possible by a vulnerability discovered back in January.
A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.
Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings
A threat actor is now selling the data allegedly acquired from this vulnerability. Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.
The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”
Restore Privacy says that two samples of the database check out.
We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.
All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.
The privacy website contacted the seller and was told the asking price of the database was $30,000.
The vulnerability allowed anyone to enter a phone number or email address, and find the associated Twitter ID,
This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.
Also a cool feature that I discovered is that you can even find the id’s of suspended Twitter accounts using this method.
Currently, there is no way for Twitter users to determine if their account was included in the data breach.
Users are advised to stay alert for phishing attacks, such as emails claiming to be from PayPal, your bank, Apple, and other important accounts requesting information or asking you to log in to your account by clicking a link to “log in.”