Privacy Alert Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
748
Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on a hacking forum.

First reported by RestorePrivacy, the hacker – going by the name “devil” – is offering email addresses and phone numbers connected to the accounts. The hacker claimed in the post on Breach Forums that the accounts range from “celebrities, companies, randoms, OGs, etc.”
 

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,140
A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

The bug was specific to Twitter’s Android client and occurred with Twitter’s authorization process.
Exactly as the HackerOne user zhirinovskiy described in the initial report in January, a threat actor is now selling the data allegedly acquired from this vulnerability.

Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.

The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”
 

Correlate

Level 16
Thread author
Verified
Top poster
Well-known
May 4, 2019
748
Unbelievable.

Until there are real corporate penalties for inadequate protection of personal information --- this will not stop.

Thanks @Correlate for keeping us informed.
At least they have to encrypt that data
And provide more protection
Enacting laws to penalize companies may be an option to get them to respect data protection