A Twitter vulnerability discovered in January 2022 allowed a threat actor to gain access to a database containing phone numbers and email addresses belonging to 5.4 million Twitter account users, as first reported by RestorePrivacy.
While the Twitter vulnerability had been patched, the attacker known as ‘devil’ is now selling the database allegedly acquired from this exploit on Breached Forums, a popular hacking forum, for $30,000. The database contains information about several accounts, including celebrities, companies, and random users.
“Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact),” reads the forums post selling the Twitter data. “These users range from Celebrities, to Companies, randoms, OGs, etc.”
Back in January 2022, HackerOne user “zhirinovskiy” reported a Twitter vulnerability that allowed an attacker to find a Twitter account by its phone number/email even if the user has prohibited it in the privacy options.
The vulnerability occurred during Twitter’s authorization process used in the Android Client of Twitter, particularly in the process of examining the duplication of a Twitter account.
The bug report stated, “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable [sic] to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities.”
Twitter acknowledged on January 6, 2022, that it was a “valid security issue” and promised to investigate. It fixed the issue on January 13, 2022, and even rewarded HackerOne user “zhirinovskiy” with a bounty of $5,040 for discovering the bug.
The owner of Breach Forums has verified the authenticity of the leak and also noted that it was obtained through the vulnerability from the HackerOne report above.
RestorePrivacy verified the sample database with some of the listed Twitter users and found that the email addresses and phone numbers are accurate and linked to actual users.
While Twitter has not confirmed the recent data leak, a Twitter spokesperson said that the company is “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
“We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter,” the Twitter spokesperson said.
“We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”