Earlier this year, a verified Twitter vulnerability was exploited by a threat actor to gain account data allegedly from 5.4 million users. Although the vulnerability was patched by Twitter, the database acquired from this exploit was put on sale on a popular hacking forum.

In January 2022, a HackerOne user reported a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user chose to hide these fields in the privacy settings.

The report stated that the bug was specific to Twitter’s Android users and occurred with Twitter’s authorization process.

The bug report was submitted on January 1st of this year, by a HackerOne user “zhirinovsky”. He described the potential consequences of this exposure as a “serious threat that could be exploited by threat actors”. Few days after the report, Twitter staff recognized this to be a “valid security issue” and promised to investigate further.

Contact details for 5.4M Twitter accounts on sale!

Almost 7 months after the bug was pointed out, a threat actor has listed the data allegedly acquired from this vulnerability. The attacker offered a sample of the data on a hacking forum and is selling the full database for 30 000 USD. 

The hacking forum’s owner verified the authenticity of the attack, and Restore Privacy also says that two samples of the database check out.

“ We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.

All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.”

So far, you cannot check if your account’s information is included in the breach. The best thing you should do, if you are a Twitter user, is to be aware of phishing scams and avoid clicking on suspicious links in emails or texts, especially if they come from unknown and fake sources! 

Twitter Confirms the Data Breach

Twitter says that the data breach resulted in leaking phone numbers and email addresses from 5.4 million accounts. The company confirms it has patched the zero-day exploit used in the said attack.
Zero-day exploits are a threat to the technology industry. Web browsers are being vulnerable to these threats. While Google is puting a lot of efforts in zero-day detections, malicious cyber attackers are always seeking out security vulnerabilities in all sorts of services. 

Twitter said in a statement last week that it “will be directly notifying the account owners [it] can confirm were affected by this issue”.

Learn how to protect your Twitter account ! 

The social network recommends that users should enable 2-factor authentication to protect their accounts from unauthorized access. Twitter added, “We recommend not adding a publicly known phone number or email address to your Twitter account.”

You want to learn more about cyber security threats , read this blog: Cyber security threats: 7 common types that you might face