A security vulnerability at Twitter has allowed a threat actor to gain access to data of over 5.4 million user accounts. The stolen data is now up for grabs on a hacking forum for at least $30,000 US.
Last Thursday, a criminal began selling the contact information of allegedly 5.4 million Twitter users on a popular hacking forum. The ad posted by a threat actor who goes by the username “devil” says the data includes profile information of people from across the globe including celebrities, regular users and even data belonging to companies.
While Twitter has yet to confirm the information, researchers at Restore Privacy say a small sample of the database they examined was linked to real individuals.
“We downloaded the sample database for verification and analysis,” the investigators said. “It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account. All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.”
The vulnerability exploited by the threat actor was reported in January by a security researcher. According to the user who submitted the bug report, the vulnerability allows a malicious actor to gain access to contact information (phone and email address) associated with a Twitter account, despite users’ privacy settings.
“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings,” the researcher explained. “The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
While Twitter has patched the vulnerability, it seems that the criminal exploited the bug in December 2021, before it was reported and fixed, according to a statement to Bleeping Computer.
What are the risks
Like many similar data leaks which involve the exposure of contact information, Twitter users may face ongoing privacy and security issues. In the wrong hands, the data can be used for malicious purposes, including spam, phishing and account takeover attacks that could lead to financial losses and a ruined online reputation for victims.
Twitter users should remain vigilant against unsolicited correspondence and avoid clicking on suspicious links, especially if they are asked to confirm login credentials or any other sensitive information.