News

Attacker Put Up for Sale the Data of 5.4 million Twitter Users

The data of 5.4 million (5,485,636) Twitter users was put up for sale on the darknet. The database appeared as a result of combining open data with phone numbers and email addresses of users who became known through the exploitation of the bug. The attacker valued the base at $30,000.

As a reminder, we also reported that Teenager that hacked Twitter will spend three years in prison, and also that Twitter Hacking Hearing Held at Zoom and Was Interrupted By Porn Videos.

Bleeping Computer reports that a hacker named devil, who put the data up for sale, claims that the dump contains information about various accounts, including celebrities, companies and random users.

The attacker confirmed to reporters that he used the vulnerability to collect data in December 2021. This is a bug that was first reported by Restore Privacy specialists. This vulnerability was fixed at the beginning of January of this year, and a report about it can be found on HackerOne.

The vulnerability allows anyone, without any authentication, to find out the Twitter ID (which is almost equivalent to obtaining the username of an account) of any user through a phone number/email address, even if the user has prohibited this action in the privacy settings. The error is related to the authorization process used in the Android Twitter client, in particular, in checking for duplicate Twitter account.user zhirinovskiy wrote in the report.

At the same time, devil emphasizes that he is not familiar with zhirinovskiy and the fact that he exploited the vulnerability has nothing to do with the mentioned report on HackeOne. The hacker only confirmed that using an email address and a phone number, it was possible to determine whether this number or mailing address is associated with a Twitter account, and then get the ID of this account. Armed with this ID, devil was apparently extracting the rest of the public data to create user profiles.

It is worth noting that in 2021, a dump containing information about 533,313,128 Facebook users was collected in a similar way.

Twitter has not yet officially confirmed the leak, but assured the media that they are already investigating what happened. At the same time, the company once again emphasized that the vulnerability discovered last winter has been fixed long time ago.

Bleeping Computer journalists independently checked the data of some Twitter users who fell into the sample provided by the hacker. It turned out that personal information (e-mail addresses and phone numbers) is true.

Interestingly, according to DLBI, at the moment the sale announcement has already been deleted, and the seller’s contact in Telegram is inactive.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

1 day ago