Risk actor leaked knowledge of 5.4 million Twitter customers that have been obtained by exploiting a now patched flaw within the common platform.
A menace actor has leaked knowledge of 5.4 million Twitter accounts that have been obtained by exploiting a now-fixed vulnerability within the common social media platform.
The menace actor is now providing on the market the stolen knowledge on a the favored hacking discussion board Breached Boards. In January, a report revealed on Hacker claimed the invention of a vulnerability that may be exploited by an attacker to discover a Twitter account by the related telephone quantity/electronic mail, even when the consumer has opted to stop this within the privateness choices.
“The vulnerability permits any social gathering with none authentication to acquire a twitter ID(which is sort of equal to getting the username of an account) of any consumer by submitting a telephone quantity/electronic mail regardless that the consumer has prohibitted this motion within the privateness settings. The bug exists as a result of proccess of authorization used within the Android Shopper of Twitter, particularly within the procces of checking the duplication of a Twitter account.” ” reads the outline within the report submitted by zhirinovskiy by way of bug bounty platform HackerOne. “This can be a severe menace, as folks cannot solely discover customers who’ve restricted the power to be discovered by electronic mail/telephone quantity, however any attacker with a fundamental information of scripting/coding can enumerate a giant chunk of the Twitter consumer base unavaliable to enumeration prior (create a database with telephone/electronic mail to username connections). Such bases could be offered to malicious events for promoting functions, or for the needs of tageting celebrities in several malicious actions”
Twitter confirmed the existence of this vulnerability and awarded zhirinovskiy with a $5,040 bounty.
The web site Restore Privateness first found the commercial for the massive trove of knowledge on Breached Boards.
Hacker lists database of 5.4 million Twitter customers on the market
The vendor claims that the database comprises knowledge (i.e. emails, telephone numbers) of customers starting from celebrities to corporations. The vendor additionally shared a pattern of knowledge within the type of a csv file.
“A couple of hours after the put up was made, the proprietor of Breach Boards verified the authenticity of the leak and likewise identified that it was extracted by way of the vulnerability from the HackerOne report above.” reads the put up revealed by RestorePrivacy.
“We downloaded the pattern database for verification and evaluation. It consists of folks from around the globe, with public profile data in addition to the Twitter consumer’s electronic mail or telephone quantity used with the account.”
The vendor instructed RestorePrivacy that he’s asking for no less than $30,000 for the complete database.
Replace: 24 July, 2022
The vendor has eliminated the adv
Observe me on Twitter: @securityaffairs and Fb
(SecurityAffairs – hacking, Twitter)