Twitter data breach exposes contact details of 5.4 million accounts

A data breach on Twitter gave an attacker access to contact details for 5.4 million accounts. Twitter has confirmed the security breach that allowed the data extraction.

The data – which associates Twitter handles with phone numbers and email addresses – was offered for sale on a hacking forum, for $30,000…

Restore Privacy reports that the breach was made possible by a vulnerability discovered in January.

A verified Twitter vulnerability from January was exploited by a malicious actor to obtain account data of allegedly 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum posted earlier today.

Last January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has masked these fields. in the privacy settings. […]

A malicious actor is now selling the data allegedly acquired from this vulnerability. Earlier today we noticed a new user selling the Twitter database on Breached Forums, the notorious hacking forum that captured international attention earlier this month with a data breach exposing more than one billion Chinese residents.

The publication is still online with the Twitter database which is said to consist of 5.4 million users for sale. The vendor on the hacking forum goes by the username “devil” and claims the dataset includes “celebrities, corporations, randoms, OGs, etc.”

The owner of the hacking forum has verified the authenticity of the attack, and Restore Privacy also indicates that two samples from the database are retrieved.

We uploaded the sample database for verification and analysis. It includes people from all over the world, with public profile information as well as the email or phone number of the Twitter user used with the account.

All of the samples we’ve looked at are real-world people who can be easily verified with public profiles on Twitter.

The privacy site contacted the seller and was told the price of the database was $30,000.

HackerOne covered the vulnerability in January, which allowed anyone to enter a phone number or email address and then find the associated twitterID. This is an internal ID used by Twitter, but can easily be converted to a Twitter ID.

This is a serious threat because users can not only find users who have restricted findability by email/phone number, but any attacker with basic scripting/coding knowledge can enumerate a large portion of Twitter’s user base unavailable for pre-enumeration (create a database with phone/email connections to username). These databases can be sold to evil parties for advertising purposes or to target celebrities in different malicious activities.

Another cool feature I discovered is that you can even find the IDs of suspended Twitter accounts using this method.

It’s likely that the attacker obtained existing databases of phone numbers and email addresses obtained through breaches of other services, then used that information to search for matching Twitter IDs.

There is currently no way to check if your account is included in the Twitter data breach. As always, it’s worth being vigilant for phishing attacks – emails claiming to be from Apple, your bank, PayPal, email provider, etc., asking you to log in to your account.

Common phishing tactics include a message telling you that your account is at risk of being deleted, or sending a fake receipt for a high-value purchase, along with a link to dispute the charge.

The main guarantee here is to never click on the links sent in the emails. Always use your own bookmarks or enter a known URL.

FTC: We use revenue-generating automatic affiliate links. After.


Check out 9to5Mac on YouTube for more Apple news: