Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum
Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on a hacking forum.
First reported by RestorePrivacy, the hacker – going by the name “devil” – is offering email addresses and phone numbers connected to the accounts. The hacker claimed in the post on Breach Forums that the accounts range from “celebrities, companies, randoms, OGs, etc.”
Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through the HackerOne site.
The researcher explained that the vulnerability allowed an attacker to “find a twitter account by it’s phone number/email even if the user has prohibited this in the privacy options.”
“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” the researcher, who goes by “zhirinovskiy,” explained.
“This is a serious threat, as people can not only find users who have disabled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities. Short: this can lead to a loss of privacy for many users.”
Twitter acknowledged the issue on January 6, paid a $5,040 bounty and resolved the vulnerability by January 13. The researcher confirmed that the vulnerability was fixed that same day.
RestorePrivacy verified with the hacker “devil” that the information in the database is legitimate and was told that they are selling it for “nothing lower than 30k.”
On Friday, a Twitter spokesperson told The Record that the company is “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
“We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter,” the Twitter spokesperson said.
“We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
Twitter did not respond to requests for comment about what would be done for the accounts in question once they confirm the database has legitimate information.