Twitter, a popular social networking platform, has previously been found with a now-patched vulnerability that opened a way for hackers to steal and leak the data of over 5.4 million Twitter users.
Based on the observations, the stolen data containing massive Twitter users’ information was posted for sale on a hacking forum. Researchers first identified the vulnerability a hacker could exploit by finding a Twitter account through a mobile number or email address linked to it despite the users opting out of it in the privacy settings.
As further explained, the vulnerability existed through the authorisation process within Twitter’s Android client, specifically while the API checks an account username duplication. The researchers highlighted that the bug is a serious threat to the online community since threat actors – even low-skilled ones – could easily enumerate a massive Twitter user base despite being opted out of the username association to phone or email address.
The collected Twitter database from the flaw could be sold by hackers to other cybercriminals or be used to target people for further attack schemes.
As the bug bounty researcher submitted their findings to the social media giant, the company sent out an award since it had helped them release a patch. Meanwhile, a separate security researcher spotted the stolen database on the hacking forum, holding approximately 5.4 million Twitter users’ information available for purchase.
According to the seller, it contains massive data of email addresses and phone numbers owned by random people, big-time public figures, and corporations worldwide. The seller also shared a database sample in a CSV file to prove its legitimacy and offered the entire database for $30,000.
The posted database had been verified by authorised checkers hours after it was posted and noted that it had indeed been extracted from the reported Twitter flaw. The verification came from the shared database sample that contained profile information of users worldwide, including their email addresses and phone numbers linked to the accounts.
Based on the last check on the database advertisement, it had already been removed by its seller, although still unknown if it is because it has been sold or merely taken down.