A Twitter data breach allowed an attacker to gain access to the contact details of 5.4 million accounts. Twitter has confirmed a security vulnerability that allowed data to be extracted.
Data linking Twitter handles to phone numbers and email addresses has been up for sale on a hacker forum for $30,000…
Restore Privacy reports that the hack was made possible thanks to a vulnerability discovered back in January.
A Twitter vulnerability that was confirmed in January was used by an attacker to obtain account data from an estimated 5.4 million users. Although Twitter has since patched the vulnerability, the database allegedly obtained from this exploit is now being sold on a popular hacking forum posted earlier today.
Back in January, a vulnerability was reported on HackerOne that allows an attacker to obtain the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings. […]
The attacker is now selling data believed to be obtained through this vulnerability. Earlier today, we spotted a new user selling a Twitter database on Breached Forums, a notorious hacking forum that received international attention earlier this month for a data breach that affected more than 1 billion people in China.
The post is still relevant, and the Twitter database, supposedly made up of 5.4 million users, is up for sale. The seller on the hacker forum uses the username “devil” and claims that the data set includes “celebrities, companies, randoms, OGs, etc.”
The owner of the hacker forum confirmed the authenticity of the attack, and Restore Privacy also says that two sample databases are being tested.
We have downloaded a sample database for testing and analysis. This includes people from all over the world with public profile information and the email or phone number of the Twitter user used with the account.
All of the samples we’ve reviewed match up with real people, which can be easily verified using public Twitter profiles.
The privacy site contacted the seller and was told the price of the database was $30,000.
HackerOne back in January covered a vulnerability that allowed anyone to enter a phone number or email address and then look up the corresponding twitterID. This is an internal identifier used by Twitter, but can easily be converted to a Twitter handle.
This is a serious threat, as not only can people find users who have restricted the ability to be found by email/phone number, but any attacker with basic knowledge in scripting/coding can enumerate a large portion of the Twitter user base that is not available for pre-enumeration ( create a database with a phone/email connection to the username). Such bases can be sold to attackers for advertising purposes or to identify celebrities in various malicious activities.
Also an interesting feature that I found is that you can even find the IDs of suspended Twitter accounts using this method.
It is likely that the attacker obtained existing databases of phone numbers and email addresses obtained from hacking other services, and then used this data to look up the corresponding Twitter IDs.
There is currently no way to check if your account is included in a Twitter data breach. As always, it’s worth being vigilant for phishing attacks – emails purporting to be sent by Apple, your bank, PayPal, email provider, etc. that ask you to log into your account.
A common phishing tactic is to report that your account may be deleted or send a fake receipt for a large purchase along with a link to dispute the payment.
The main defense here is never follow links sent in emails. Always use your own bookmarks or enter a known URL.
FTC: We use automated affiliate links that generate income. More.
Visit 9to5Mac on YouTube for more Apple news:
#Twitter #data #breach #exposes #contact #details #million #accounts