Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
751
Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on a hacking forum.

First reported by RestorePrivacy, the hacker – going by the name “devil” – is offering email addresses and phone numbers connected to the accounts. The hacker claimed in the post on Breach Forums that the accounts range from “celebrities, companies, randoms, OGs, etc.”
 

Gandalf_The_Grey

Level 63
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,161
A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

The bug was specific to Twitter’s Android client and occurred with Twitter’s authorization process.
Exactly as the HackerOne user zhirinovskiy described in the initial report in January, a threat actor is now selling the data allegedly acquired from this vulnerability.

Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.

The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”
 

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
751
Unbelievable.

Until there are real corporate penalties for inadequate protection of personal information --- this will not stop.

Thanks @Correlate for keeping us informed.
At least they have to encrypt that data
And provide more protection
Enacting laws to penalize companies may be an option to get them to respect data protection
 

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
751
A zero-day vulnerability in Twitter’s code base was responsible for a major data breach that is thought to have affected 5.4 million users, the social media firm has revealed.

The threat actor was hoping to sell the profile data for $30,000 on a cybercrime site. Some information was scraped from public Twitter profiles, including location and image URL. However, they were crucially able to link account emails and phone numbers with account IDs by leveraging the vulnerability.
 

plat

Level 28
Verified
Top poster
Well-known
Sep 13, 2018
1,644

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.


The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

Original source

Maybe Elon Musk was onto something there after all. :unsure: :coffee:
 

plat

Level 28
Verified
Top poster
Well-known
Sep 13, 2018
1,644
Ironically, a Twitter post just now--actually twoferone.

An example of Twitter's "slack" internal protocol regarding employees' endpoints. What is next?