Social media site Twitter has allegedly suffered a data breach of more than 5.4 million accounts that are now for sale on a hacking forum.
The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the data stolen includes email addresses and phone numbers from “celebrities, companies, randoms, OGs, etc”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a desirable word, like a first name.
Devil reportedly will not be accepting offers “lower than [$30,000]” for the database. The hacker also shared a sample of the data, which, according to privacy resource center Restore Privacy, “match[es] up with real-world people that can be easily verified with public profiles on Twitter”.
A few hours after the post was made on Breach Forums, the owner of the site verified the authenticity of the leak and that the data breach was the result of a vulnerability on Twitter that was discovered in January of this year.
The vulnerability was discovered by zhirinovskiy, who submitted a report about it to vulnerability coordination and bug bounty platform HackerOne.
“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” explained zhirinovskiy.
Zhirinovskiy went on to describe the potential harms this vulnerability could cause as it would allow “any attacker with a basic knowledge of scripting/coding [to] enumerate a big chunk of the Twitter user base” and use the data collected to create a database that linked Twitter usernames to their respective email address or phone numbers. This database could then be sold “to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities.”
The vulnerability was discovered on January 1st 2022, with Twitter verifiying the vulnerability on January 6th and paying zhirinovskiy to $5,040 patch the issue on January 13th. Zhirinovsky verified that the vulnerability had been solved that day.
Twitter has confirmed that it is investigating the data breach as of July 24th 2022, but has not said anything further on the matter.