Attacker Put Up for Sale the Data of 5.4 million Twitter Users
The data of 5.4 million (5,485,636) Twitter users was put up for sale on the darknet. The database appeared as a result of combining open data with phone numbers and email addresses of users who became known through the exploitation of the bug. The attacker valued the base at $30,000.
As a reminder, we also reported that Teenager that hacked Twitter will spend three years in prison, and also that Twitter Hacking Hearing Held at Zoom and Was Interrupted By Porn Videos.Bleeping Computer reports that a hacker named devil, who put the data up for sale, claims that the dump contains information about various accounts, including celebrities, companies and random users.
The attacker confirmed to reporters that he used the vulnerability to collect data in December 2021. This is a bug that was first reported by Restore Privacy specialists. This vulnerability was fixed at the beginning of January of this year, and a report about it can be found on HackerOne.
At the same time, devil emphasizes that he is not familiar with zhirinovskiy and the fact that he exploited the vulnerability has nothing to do with the mentioned report on HackeOne. The hacker only confirmed that using an email address and a phone number, it was possible to determine whether this number or mailing address is associated with a Twitter account, and then get the ID of this account. Armed with this ID, devil was apparently extracting the rest of the public data to create user profiles.
It is worth noting that in 2021, a dump containing information about 533,313,128 Facebook users was collected in a similar way.
Twitter has not yet officially confirmed the leak, but assured the media that they are already investigating what happened. At the same time, the company once again emphasized that the vulnerability discovered last winter has been fixed long time ago.
Bleeping Computer journalists independently checked the data of some Twitter users who fell into the sample provided by the hacker. It turned out that personal information (e-mail addresses and phone numbers) is true.