A database containing data from 5.4 million Twitter accounts available for saleSecurity Affairs
The threat actor leaked data of 5.4 million Twitter users which was obtained by exploiting a now patched flaw in the popular platform.
A threat actor has leaked data from 5.4 million Twitter accounts which was obtained by exploiting a now patched vulnerability in the popular social media platform.
The threat actor is now offering the stolen data for sale on popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that could be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user chose to prevent it in privacy options.
“The vulnerability allows any party without any authentication to obtain a twitter id(which is almost equivalent to getting the username of an account) from any user by submitting a phone/email number even if the user has prohibits this action in the privacy settings. The bug exists because of the authorization process used in Twitter’s Android client, specifically in the process of verifying a duplicate Twitter account. reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat because people can not only find users who have restricted findability by email/phone number, but any attacker with basic knowledge of scripting/coding can enumerate large chunk of twitter user base unavailable to prior enumeration (create database with phone/email logins to username) These bases can be sold to malicious parties at advertising purposes or for the purpose of targeting celebrities in different malicious activities.”
Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy a bounty of $5,040.
The Restore Privacy website first discovered the advertisement for the huge data trove on the Breached forums.
Hacker puts database of 5.4 million Twitter users up for sale
The vendor claims that the database contains data (i.e. emails, phone numbers) of users ranging from celebrities to corporations. The seller has also shared sample data as a csv file.
“A few hours after the publication of the post, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the HackerOne report vulnerability above.” reads the message posted by RestorePrivacy.
“We uploaded the sample database for verification and analysis. It includes people from all over the world, with public profile information as well as the email or phone number of the Twitter user used with the account.
The seller told RestorePrivacy that he was asking at least $30,000 for the entire database.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, Twitter)