There is a database on Breach Forums for 30.000 USD for sale with phone numbers and email addresses of 5.5 million Twitter users.
A popular Twitter -January vulnerability was used by an unknown attacker to allegedly 5.485.25746 Capture records. Twitter has since patched the vulnerability. However, the database obtained from this exploit is currently for sale on Breach Forums. This was reported by Restore Privacy.
As early as January 1st of this year, the user zhirinovskiy reported a vulnerability on HackerOne, a bug bounty platform. This would allow an attacker to obtain the phone number and/or email address associated with Twitter accounts, even if the user has hidden the relevant fields in the privacy settings. The error was specific to Twitter’s Android client and occurred during the authorization process. Zhirinovskiy described the possible consequences of this vulnerability as a serious threat that threat actors could exploit:
“The vulnerability enables everyone Party without any authentication to obtain a Twitter ID (which is almost the same as an account’s username) of any user by submitting a phone number/email address, even though the user has prohibited this action in the privacy settings. The error is due to the authorization process used in Twitter’s Android client, specifically when verifying the duplication of a Twitter account.”
Twitter staff recognized the vulnerability as “valid security issue” five days after user zhirinovskiy was posted to HackerOne . Twitter then fixed the problem 09 days after it became known, i.e. on 13 January, and has zhirinovskiy a bounty of 5.040 US dollars awarded.
Breached.to user offers Twitter database including celebrity and company data for sale
Currently, user devil is offering data obtained for sale in the hacking forum Breached Forums for at least 30.000 U.S. dollar. He states that the Twitter database in question consists of 5.5 million user data. The data archive would include celebrities and corporations as well as random people etc.
It should also be noted that there are no passwords in this database. Rather, it contains publicly available Twitter profile information along with phone numbers and/or email addresses users used to sign up. The e-mail addresses can be used with the “Forgot your password” function on Twitter. However, an attacker would have to have separate access to the login password of this email account.
Currently, there is no way for Twitter users to determine whether their own account was affected by the data breach. It is advisable for users to currently pay particular attention to phishing attacks, e.g. E-mails claiming to come from PayPal, the bank, Apple or others, requesting login information.
Restore Privacy stated that the vulnerability discovered in January enabled the Twitter hack . An attached sample in the forum should testify to the authenticity of the data. Restore Privacy analyzed the sample and concluded:
“The database includes individuals from around the world with public profile information and the email address or phone number of the Twitter user they used with the account. All the samples we looked at match real-world people who are easy to check out with public profiles on Twitter.”
Breached Forums offered a data leak of 23 terabytes earlier this month. In this regard, personal data for 09 bitcoins was for sale. The database, obtained through the hack of a police department in Shanghai, contained data on over 1 billion Chinese residents.