Attacker Put Up for Sale the Data of 5.4 million Twitter Users

The data of 5.4 million (5,485,636) Twitter users was put up for sale on the darknet. The database appeared as a result of combining open data with phone numbers and email addresses of users who became known through the exploitation of the bug. The attacker valued the base at $30,000.

As a reminder, we also reported that Teenager that hacked Twitter will spend three years in prison, and also that Twitter Hacking Hearing Held at Zoom and Was Interrupted By Porn Videos.

Bleeping Computer reports that a hacker named devil, who put the data up for sale, claims that the dump contains information about various accounts, including celebrities, companies and random users.

Twitter user data

The attacker confirmed to reporters that he used the vulnerability to collect data in December 2021. This is a bug that was first reported by Restore Privacy specialists. This vulnerability was fixed at the beginning of January of this year, and a report about it can be found on HackerOne.

The vulnerability allows anyone, without any authentication, to find out the Twitter ID (which is almost equivalent to obtaining the username of an account) of any user through a phone number/email address, even if the user has prohibited this action in the privacy settings. The error is related to the authorization process used in the Android Twitter client, in particular, in checking for duplicate Twitter account.user zhirinovskiy wrote in the report.

At the same time, devil emphasizes that he is not familiar with zhirinovskiy and the fact that he exploited the vulnerability has nothing to do with the mentioned report on HackeOne. The hacker only confirmed that using an email address and a phone number, it was possible to determine whether this number or mailing address is associated with a Twitter account, and then get the ID of this account. Armed with this ID, devil was apparently extracting the rest of the public data to create user profiles.

It is worth noting that in 2021, a dump containing information about 533,313,128 Facebook users was collected in a similar way.

Twitter has not yet officially confirmed the leak, but assured the media that they are already investigating what happened. At the same time, the company once again emphasized that the vulnerability discovered last winter has been fixed long time ago.

Bleeping Computer journalists independently checked the data of some Twitter users who fell into the sample provided by the hacker. It turned out that personal information (e-mail addresses and phone numbers) is true.

Interestingly, according to DLBI, at the moment the sale announcement has already been deleted, and the seller’s contact in Telegram is inactive.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button