You might want to check your email to see if Twitter believes your account got hacked.
Twitter has confirmed that a data breach allowed a hacker to gain access to the contact details of up to 5.4 million accounts.
The data – which ties Twitter handles to phone numbers and email addresses – has been offered for sale on a hacking forum, for $30,000.
Restore Privacy offered the following breakdown of the breach, which was made possible by a vulnerability discovered back in January:
A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.
Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings […]
A threat actor is now selling the data allegedly acquired from this vulnerability. Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.
The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”
The publication also cited two samples from the database to confirm the authenticity of the breach:
We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.
All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.
Per HackerOne, the vulnerability allowed anyone to enter a phone number or email address, and then located a user’s twitterID, which functions as an internal handle used by Twitter that can be readily converted to a Twitter handle:
This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.
Also a cool feature that I discovered is that you can even find the id’s of suspended Twitter accounts using this method.
There’s presently no certain way to check whether your account was included in the data breach, and it pays to be cautious about phishing attacks, wherein the emails claim to be from a trusted corporation or party, and then ask you to log into your account.
Twitter confirmed the existence of the vulnerability, and offered the following comment to affected users:
This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
We will be directly notifying the account owners we can confirm were affected by this issue.
Please be careful out there and stay tuned for additional details as they become available.
Via 9to5Mac, Restore Privacy, HackerOne, and Twitter