Anything that is put on the internet, is at risk of being hacked.
In most cases, data is only protected by login credentials. In other cases, data can be stolen through exploited vulnerabilities. The latter happened on Twitter.
The microblogging social media platform has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts.
Then, a threat actor who goes by the name ‘Devil’, said on a stolen data market that the database contains information about various accounts, including celebrities, companies, and random users.
"Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact)," reads the forums post. "These users range from Celebrities, to Companies, randoms, OGs, etc."
The stolen data is being sold on a hacker forum for $30,000.
The vulnerability in question was first reported by Restore Privacy, saying that the vulnerability was used to collect the data.
The flaw was then disclosed to Twitter through HackerOne on January 1st.
"The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings," reads the vulnerability disclosure by security researcher that goes by the name 'zhirinovskiy.'
"The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account."
Twitter fixed it on January 13th, and paid a $5040 reward to the engineer.
Speaking to Bleeping Computer, a website covering technology news and offering free computer tutorials and troubleshooting, the threat actor said that they exploited the Twitter vulnerability to collect user data in December 2021.
Devil said that they are not affiliated with zhirinovskiy and have never used HackerOne.
"I don’t want to white hat in trouble who reported it on H1. I guess a lot of people are trying to connect him to me, I would be pissed if I was him. So I cant stress this enough I have nothing to do w him nor H1," the threat actor said.
The hacker explained that they could feed email addresses and phone numbers to the vulnerability to determine if they are associated with any Twitter account. If so, they can quickly retrieve the stored accounts' IDs.
With the Twitter IDs, the hackers were able to scrape the web for publicly available data, and match them to create a thorough user profiles.
This method is similar to how threat actors scraped the Facebook account data of 533 million users in 2021.
"We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter. We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this," Twitter said.
"We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”