An attacker allegedly gained access to the contact details of 5.4 million Twitter accounts through a vulnerability Twitter has known about for months.
The data exposed in the attack ties Twitter handles to phone numbers and email addresses, even for users who have restricted the ability to be found on Twitter this way. The attacker offered a sample of the data on a hacking forum and is selling the full database for “nothing lower than 30k” (presumably USD, or roughly $38,505 CAD).
Restore Privacy detailed the breach, noting that the attacker claims the dataset ranges from “Celebrities, to Companies, randoms, OGs, etc.” Moreover, the publication reports that the owner of Breach Forums verified the authenticity of the leaked data and said it was extracted via a vulnerability reported in January.
That vulnerability, detailed in a HackerOne post from user ‘zhirinovskiy,’ exploits a bug with Twitter’s Android app and the Twitter authorization process and can obtain the Twitter ID of any user by submitting a phone number or email. zhirinovskiy describes Twitter IDs as “almost equal to” the username of an account.
Five days after the report, Twitter staff acknowledge it as a “valid security issue” and after investigating, awarded zhirinovskiy with a $5,040 USD bounty (about $6,469 CAD).
9to5Mac notes that the attacker likely obtained existing databases of phone numbers and emails from other breaches, then used those with the Twitter breach to connect them with existing Twitter IDs. So far, there isn’t a way to check if your account is included in the breach. The best thing Twitter users can do is be aware of phishing scams and avoid clicking links in emails or texts, especially if they come from an unknown or untrusted source.
News of the breach comes as Twitter takes aim at Elon Musk, blaming the Tesla CEO for lower-than-expected quarterly earnings.