A Twitter vulnerability has led to a hacker obtaining account data of 5.4 million users, and the stolen information, which is claimed to include email and phone numbers, is up for sale for at least $30,000.
Spotted by cybersecurity outlet RestorePrivacy, the threat actor acquired the dataset through a vulnerability on Twitter's Android client that allowed attackers to find the email and phone numbers associated with the accounts. As HackerOne reports, Twitter acknowledged this bug as a "valid security issue" back in January, awarding user zhirinovskiy with a $5,040 bounty for discovering it, and has since been patched.
However, the threat actor, known as "devil," is said to have used this exploit to sell millions of users' data, which is said to "range from Celebrities, to Companies, randoms, OGs, etc." RestorePrivacy reached out to the seller, who claimed the database will be sold for at least $30,000.
Discovered on hacking forum Breached Forums, the hacker posted a sample of the data, which analysts downloaded for verification. "It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account," the report states. The samples also match real-world Twitter profiles.
How you can prevent being hacked
Currently, Twitter is investigating the situation. While the database doesn't include private credentials such as passwords, people can still use this data for phishing attacks to gain access to more private information. As user zhirinovskiy points out, it can also be used to target celebrities in different malicious activities.
While it's uncertain what users are vulnerable in the 5.4 million accounts in the database, it's a good idea to make sure your online accounts are secured by using the best password managers around. This makes it difficult for threat actors to breach an account, even if they know other important details.
What's more, if the data is utilized for malicious purposes, keep a look out for suspicious emails asking to enter login credentials such as your username and password. You only need to do this on Twitter's website.
It isn't uncommon for data to be sold through the dark web market. This year, the Dark Web Price Index 2022 shows the dark web market is growing, with retailers selling stolen credit card data, cryptocurrency accounts, hacked Gmail and Twitter accounts, and purchasable malware for significantly cheaper prices over the past year.