Twitter patches software flaw that let a hacker steal information from 5.4 million accounts

Twitter discovered the zero-day vulnerability that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021, it has now been fixed as of Friday.

A zero-day vulnerability is a software flaw that is unknown to the parties responsible for the site and is an open window to those lurking behind the scenes of the website.

The vulnerability allowed the hacker known as “the devil” to scrape Twitter and collect phone numbers and emails associated with millions of accounts belonging to “celebrities, companies and random people,” according to a post by the hacker on the dark web that say. the meeting was due to a ‘Twitter outage’.

The fix comes too late, as the hacker already uploaded the data to the dark web and was selling the accounts for $30,000 each — it’s not clear how much was bought, BleepingComputer reports.

Scroll down for video

Twitter patched a flaw in its software that allowed a hacker to compile the phone numbers and email addresses associated with 5.4 million accounts

Twitter disclosed in a security advisory on Friday: “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew the email or number a person’s phone. , they could identify their Twitter account, if one existed.’

“This flaw resulted from an update to our code in June 2021. When we learned about it, we immediately investigated and fixed it. At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability.’

Twitter told BleepingComputer that it is aware of some of the users affected by the hack and is sending these individuals notifications to inform them that their phone number or email address has now been compromised.

However, the social media platform does not clarify how many users have been victimized.

The fix comes too late, as the hacker already uploaded the data to the dark web and was selling the accounts for $30,000 each — it’s not clear how much was bought

At this time, Twitter tells us that they cannot determine the exact number of people affected by the breach. No passwords were collected by the ‘devil’, so accounts will not be stolen.

Twitter requires users to set up two-factor authentication on their accounts to stop anyone from accidentally logging into their account.

“We are releasing this update because we are unable to confirm every account that was potentially affected and are particularly mindful of people with pseudonymous accounts who may be targeted by the state or other actors,” the advisory warned on Twitter.

Graham Ivan Clark was responsible for a global Twitter hack in 2020

This attack, although large, did not make as much noise as the global hack that hijacked the accounts belonging to high-profile people such as Bill Gates, Barack Obama and Bill Gates.

The July 15, 2020 breach, the largest in Twitter’s history, also affected the accounts of celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian.

Messages were posted by the famous accounts telling followers to send Bitcoin payments to email addresses, defrauding unsuspecting victims of more than $180,000 in the process.

A hacker who identified himself as “Kirk”, believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “restore, swap and control any Twitter account at will” in exchange for payments in the currency cyber, according to court documents. Clark, who was convicted as a young offender – he was 17 at the time – accepted a three-year prison sentence.