Threat actor “devil” is selling a database containing sensitive information of 5.49 million Twitter users on “Breached Forums”.
Restore privacy reported that the owner of Breach Forums verified the authenticity of the leak and confirmed that the data was extracted using the vulnerability discovered by HackerOne user zhirinovskiy.
The hacker told RestorePrivacy that he was seeking at least $30,000 for the information, which included email addresses and phone numbers of users ranging from celebrities, companies and average users.
“We downloaded the sample database for verification and analysis,” RestorePrivacy said.
“It includes people from all over the world, with public profile information, as well as the email or phone number of the Twitter user used with the account.”
“All the samples we looked at matched real-world people who could easily be verified with public Twitter profiles.”
In early January 2022, Zhirinovskiy discovered a serious security vulnerability that could allow bad actors to access phone numbers and email addresses associated with Twitter accounts.
“The vulnerability allows any party without any authentication to obtain a Twitter ID of any user by sending a phone number/email even though the user has disabled this action in privacy settings,” HackerOne said of zhirinovskiy. post.
“The flaw exists because of the authorization process used in the Twitter Android Client, specifically the process of checking for duplication of a Twitter account.”
Six days after the discovery, Twitter staff closed the case and marked it resolved, awarding Zhirinovskiy $5,040.
Since being reported, the threat actor has removed the ad, Security Matters reported.
