A Twitter vulnerability came upon in January 2022 allowed a risk actor to realize get entry to to a database containing telephone numbers and e-mail addresses belonging to five.4 million Twitter account customers, as first reported by way of RestorePrivacy.
Whilst the Twitter vulnerability have been patched, the attacker referred to as ‘satan’ is now promoting the database allegedly obtained from this exploit on Breached Boards, a well-liked hacking discussion board, for $30,000. The database comprises details about a number of accounts, together with celebrities, firms, and random customers.
“Hi, as of late I provide you knowledge accumulated on a couple of customers who use Twitter by way of a vulnerability. (5485636 customers to be actual),” reads the boards submit promoting the Twitter knowledge. “Those customers vary from Celebrities, to Corporations, randoms, OGs, and so on.”
Again in January 2022, HackerOne person “zhirinovskiy” reported a Twitter vulnerability that allowed an attacker to discover a Twitter account by way of its telephone quantity/e-mail even though the person has prohibited it within the privateness choices.
The vulnerability befell right through Twitter’s authorization procedure used within the Android Shopper of Twitter, in particular within the means of inspecting the duplication of a Twitter account.
The worm file mentioned, “It is a severe risk, as folks can’t handiest to find customers who’ve limited the power to be discovered by way of e-mail/telephone quantity, however any attacker with a elementary wisdom of scripting/coding can enumerate a large chew of the Twitter person base unavaliable [sic] to enumeration prior (create a database with telephone/e-mail to username connections). Such bases can also be offered to malicious events for promoting functions, or for the needs of concentrated on celebrities in several malicious actions.”
Twitter said on January 6, 2022, that it used to be a “legitimate safety factor” and promised to analyze. It mounted the problem on January 13, 2022, or even rewarded HackerOne person “zhirinovskiy” with a bounty of $5,040 for locating the worm.
The proprietor of Breach Boards has verified the authenticity of the leak and likewise famous that it used to be bought in the course of the vulnerability from the HackerOne file above.
RestorePrivacy verified the pattern database with probably the most indexed Twitter customers and located that the e-mail addresses and make contact with numbers are correct and connected to precise customers.
Whilst Twitter has no longer showed the hot knowledge leak, a Twitter spokesperson stated that the corporate is “reviewing the most recent knowledge to make sure the authenticity of the claims and make sure the safety of the accounts in query.”
“We won a file of this incident a number of months in the past thru our worm bounty program, right away investigated completely and glued the vulnerability. As at all times, we’re dedicated to protective the privateness and safety of the individuals who use Twitter,” the Twitter spokesperson stated.
“We’re thankful to the safety group who engages in our worm bounty program to lend a hand us establish attainable vulnerabilities reminiscent of this. We’re reviewing the most recent knowledge to make sure the authenticity of the claims and make sure the safety of the accounts in query.”