A Twitter vulnerability found in January is being exploited by threat actors to gain access to private account data. The information is allegedly from 5.4 million users. Twitter has patched the vulnerability, though the database allegedly acquired from this exploit is now being sold on a popular hacking forum.
In a post made Thursday, HackerOne reported a vulnerability allowing attackers to acquire phone numbers and/or email addresses associated with Twitter accounts. This is despite whether or not the user has hidden this information through privacy settings.
Twitter Vulnerability Leaks Private Data of Users
Restore Privacy reports that the bug was specific to Twitter’s Android client and occurred during Twitter’s authorization process. HackerOne user “zhrionskiy” submitted a bug report on Jan. 1 of this year.
A HackerOne user stated,
This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable [sic] to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities
Additionally, the HackerOne report also explains how to replicate the vulnerability and acquire user data. Five days after the release of the report, Twitter acknowledged that it was a “valid security issue” and promised to investigate. Twitter eventually fixed the issue, and zhrinovskiy received a $5,040 bounty.
However, just as predicted, someone started selling the Twitter information.
Restore Privacy reports that a user on a famous hacking forum is selling a Twitter database allegedly consisting of 5.4 million users. The user goes by the name “devil”, and claims that the dataset includes celebrities, companies, randoms, “OGs” and more. The owner of the forums has verified that the information was accurate and came from the vulnerability.
The seller is asking $30,000 for the database. Furthermore, Restore Privacy got a partial sample of the database and was able to verify that it links to actual people.
Twitter is going through a lot these days, and this certainly doesn’t help. Right now, there is no way to verify whether or not your information is a part of the database. Keep yourself protected by not opening any links sent via emails. Additionally, use your own bookmarks and be vigilant for phishing attacks.