25 July 2022

Account data of 5.4 million Twitter users put up for sale on a hacker forum


Account data of 5.4 million Twitter users put up for sale on a hacker forum

A database containing account details of over 5.4 million Twitter users has been offered for sale on a hacker forum for $30,000. According to the seller, who goes online as “devil,” the database includes information about various accounts, including celebrities, companies, and random users.

According to the RestorePrivacy team who first reported the issue, the database was built using a security vulnerability that was reported in January 2022. Twitter acknowledged that this was a valid security issue, and paid a security researcher who discovered it a $5,040 bounty.

“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the proccess of checking the duplication of a Twitter account,” said a vulnerability report submitted by the researcher.

“Devil” told the tech news site BleepingComputer that using this vulnerability one can determine if email addresses and phone numbers are associated with a Twitter account and retrieve that account's ID. BleepingComputer has verified that some of the data shared by the seller is accurate, however, it’s not clear if all 5.4 million accounts offered for sale are valid.

Twitter said that they are investigating the situation.

 

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024