5.4 million personal customer account data from the social and microblogging service provided by the California giant with branches in San Antonio and Boston were sold to hackers.
Twitter is one of the victims data breach After threat actors used a vulnerability to create a database of 5.4 million account phone numbers and email addresses, the data is now for sale on a hacker forum for $30,000.
It appeared as a reflex Cyber ​​criminals known “Satan”. In what it claims is a stolen data marketplace, the database contains information from a variety of accounts, including celebrities, businesses and casual users.
They are now selling data for $30,000
“Hi, today I am presenting to you the collected data of multiple users who use Twitter through a vulnerability, 5485636 users to be exact.“, reads the forum post that sells Twitter data. “These users range from celebrities, companies, casuals, OGs, etc.“
In a conversation with the threatened actor Bleeping computer It was said that they used a vulnerability to collect data in December 2021. They are now selling data for $30,000, the amount buyers are willing to spend.
As reported by the first Restore privacyThe vulnerability used to collect data is the same one disclosed to Twitter by HackerOne earlier in the year and fixed on the 13th.
“The vulnerability allows anyone to obtain a Twitter ID without any authentication, which is roughly equivalent to obtaining a user’s account username, by sending a phone number/email even if the user has prohibited this action in privacy settings.” So that explains it Zhirinovsky, Well-known security researcher.
“It’s bug – continue – Exists due to the authorization process used in Twitter’s Android client, specifically the process of verifying the identity of a Twitter account” Anyway, the Devil told BlippingComputers they are not affiliated with Zhirinovskiy and have never used HackerOne.
“I don’t want to trouble those who reported on H1 – Hackers always a Bleeping computer – I think a lot of people are trying to get him to contact me, if I were him I would be angry. So I can’t stress this enough, I have nothing to do with him or the H1“
The hacker confirmed that he could supply email addresses and phone numbers to the vulnerability to determine if it was associated with an account Twitter and retrieve the ID of that account. A full-blown alarm is virtually set off.
