Twitter Hacker Seeks $30,000 For Stolen Data On 5.4 Million Users

A seven month old Twitter vulnerability has reportedly been exploited by a hacker who managed to obtain the phone numbers and email addresses of roughly 5.4 million users.

This, according to a report by digital privacy advocacy group RestorePrivacy, data gathering was made possible by the hacker gaining account data via a ‘verified Twitter vulnerability’ that was first exposed back in January this year.

Twitter has since patched the vulnerability, but unfortunately a database containing the stolen data is now being touted for sale on a popular hacking forum.

Data breach

The Twitter vulnerability allowed an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user had hidden these fields in the privacy settings.

The bug was reportedly specific to Twitter’s Android client and occurred with Twitter’s authorisation process.

According to the RestorePrivacy report, the hacker utilised this flaw to lift the data.

And the hacker, who goes by the username “devil”, is now selling the Twitter database of 5.4 million users on hacker forum, Breached Forums.

This is the same hacker forum that gained international attention earlier this month after a data breach exposing over 1 billion Chinese residents.

The ‘Devil’ hacker claims that the Twitter dataset includes “Celebrities, to Companies, randoms, OGs, etc.” The seller is seeking $30,000 for the data.

A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the verified vulnerability.

A sample of the stolen data has also been posted on the forum.

RestorePrivacy downloaded the sample database for verification and analysis, which it said “includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”

“All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter,” the report stated.

RestorePrivacy reported that Twitter at the weekend confirmed it is investigating the situation, but has not provided any more information at this time.

MFA bypass?

Ian McShane, VP strategy at security specialist Arctic Wolf noted that the known vulnerability seems to have bypassed accounts with MFA enabled.

“The linking of a private email address and phone number associated with a Twitter account has the potential to add an extra dimension to this data breach,” said McShane.

“From what we know so far, it seems likely that an additional attack could be or could already have been launched on high profile users with MFA enabled,” said McShane. “We’ve seen what can happen when accounts are compromised on Twitter – usually some kind of cryptocurrency scam efforts – and while there’s been no evidence of such an attack recently, users should be vigilant for unexpected login attempts or unsolicited messages and calls.”

“Outside of Twitter, there’s the potential for attackers using the phone number to spoof MFA requests from other services (such as those linked to an @icloud or @gmail account),” he warned.

“Also, while bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days,” said McShane. “Whatever the case, this incident is not a good look for Twitter after a tumultuous few months.”

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

2 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

3 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

4 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

6 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

9 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

9 hours ago