Bad news for Twitter users out there. The social media platform has been pwned. And the threat actor has put the data of 5.4 million people up for sale. Which is of course a bad thing. Restore Privacy is reporting that the breach was made possible by a vulnerability discovered back in January:
Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.
The bug was specific to Twitter’s Android client and occurred with Twitter’s Authorization process.
The person who reported the bug got paid a bug bounty by Twitter when he reported the bug to them. But apparently that came too late as this happened:
Exactly as the HackerOne user zhirinovskiy described in the initial report in January, a threat actor is now selling the data allegedly acquired from this vulnerability.
Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.
The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”
There is as yet no way to check whether your account is included in the Twitter data breach. As always, it pays to be vigilant about phishing attacks as that is how I expect that this data will be used.
Stay tuned for further developments.