Hacker steals data from 5.4 million Twitter accounts — don’t let this happen to you

Twitter on smartphone
(Image credit: Unplash / Akshar Dave)

A Twitter vulnerability has led to a hacker obtaining account data of 5.4 million users, and the stolen information, which is claimed to include email and phone numbers, is up for sale for at least $30,000.  

Spotted by cybersecurity outlet RestorePrivacy, the threat actor acquired the dataset through a vulnerability on Twitter's Android client that allowed attackers to find the email and phone numbers associated with the accounts. As HackerOne reports, Twitter acknowledged this bug as a "valid security issue" back in January, awarding user zhirinovskiy with a $5,040 bounty for discovering it, and has since been patched.

However, the threat actor, known as "devil," is said to have used this exploit to sell millions of users' data, which is said to "range from Celebrities, to Companies, randoms, OGs, etc." RestorePrivacy reached out to the seller, who claimed the database will be sold for at least $30,000. 

Post of Twitter Hacker selling data (via Restore Privacy) (Image credit: Restore Privacy)

Discovered on hacking forum Breached Forums, the hacker posted a sample of the data, which analysts downloaded for verification. "It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account," the report states. The samples also match real-world Twitter profiles. 

How you can prevent being hacked

Currently, Twitter is investigating the situation. While the database doesn't include private credentials such as passwords, people can still use this data for phishing attacks to gain access to more private information. As user zhirinovskiy points out, it can also be used to target celebrities in different malicious activities.

While it's uncertain what users are vulnerable in the 5.4 million accounts in the database, it's a good idea to make sure your online accounts are secured by using the best password managers around. This makes it difficult for threat actors to breach an account, even if they know other important details.

What's more, if the data is utilized for malicious purposes, keep a look out for suspicious emails asking to enter login credentials such as your username and password. You only need to do this on Twitter's website.

It isn't uncommon for data to be sold through the dark web market. This year, the Dark Web Price Index 2022 shows the dark web market is growing, with retailers selling stolen credit card data, cryptocurrency accounts, hacked Gmail and Twitter accounts, and purchasable malware for significantly cheaper prices over the past year. 

Darragh Murphy

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.