Twitter Hacker Seeks $30,000 For Stolen Data On 5.4 Million Users

data breach, security breaches

Investigation begins after hacker seeks buyers for personal data of 5.4 million Twitter users, reportedly stolen via 7 month old vulnerability

A seven month old Twitter vulnerability has reportedly been exploited by a hacker who managed to obtain the phone numbers and email addresses of roughly 5.4 million users.

This, according to a report by digital privacy advocacy group RestorePrivacy, data gathering was made possible by the hacker gaining account data via a ‘verified Twitter vulnerability’ that was first exposed back in January this year.

Twitter has since patched the vulnerability, but unfortunately a database containing the stolen data is now being touted for sale on a popular hacking forum.


Data breach

The Twitter vulnerability allowed an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user had hidden these fields in the privacy settings.

The bug was reportedly specific to Twitter’s Android client and occurred with Twitter’s authorisation process.

According to the RestorePrivacy report, the hacker utilised this flaw to lift the data.

And the hacker, who goes by the username “devil”, is now selling the Twitter database of 5.4 million users on hacker forum, Breached Forums.

This is the same hacker forum that gained international attention earlier this month after a data breach exposing over 1 billion Chinese residents.

The ‘Devil’ hacker claims that the Twitter dataset includes “Celebrities, to Companies, randoms, OGs, etc.” The seller is seeking $30,000 for the data.

A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the verified vulnerability.

A sample of the stolen data has also been posted on the forum.

RestorePrivacy downloaded the sample database for verification and analysis, which it said “includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”

“All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter,” the report stated.

RestorePrivacy reported that Twitter at the weekend confirmed it is investigating the situation, but has not provided any more information at this time.

MFA bypass?

Ian McShane, VP strategy at security specialist Arctic Wolf noted that the known vulnerability seems to have bypassed accounts with MFA enabled.

“The linking of a private email address and phone number associated with a Twitter account has the potential to add an extra dimension to this data breach,” said McShane.

“From what we know so far, it seems likely that an additional attack could be or could already have been launched on high profile users with MFA enabled,” said McShane. “We’ve seen what can happen when accounts are compromised on Twitter – usually some kind of cryptocurrency scam efforts – and while there’s been no evidence of such an attack recently, users should be vigilant for unexpected login attempts or unsolicited messages and calls.”

“Outside of Twitter, there’s the potential for attackers using the phone number to spoof MFA requests from other services (such as those linked to an @icloud or @gmail account),” he warned.

“Also, while bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days,” said McShane. “Whatever the case, this incident is not a good look for Twitter after a tumultuous few months.”