A database containing 5.4m Twitter users’ data is reportedly for sale on a popular criminal forum. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems reported in January.
The seller, using the nickname ‘devil,’ advertised the data on the Breached Forums site and demanded at least $30,000 for it. They said that the database contains the phone numbers and email addresses of users, including celebrities and companies.
The hack reportedly exploits a vulnerability first reported by a HackerOne user known as ‘zhirinovskiy.’ That bug enabled “an attacker with a basic knowledge of scripting/coding” to find a Twitter user’s phone number and email address, even if the user has hidden them in privacy settings. The attacker explained how to exploit the bug in their HackerOne report. Twitter acknowledged the bug and fixed it five days later.
The sale was first reported by RestorePrivacy, which has also downloaded and verified the dataset. Twitter told the publication that it is investigating the situation but provided no other information.
Twitter users are unhappy that the company has apparently failed to notify them of the breach. One said: “Weird your users haven’t been notified by you yet. Two words come to mind Class Action. In my state you have 36 hours to report this.”
“TWITTER: Why did you not announce this when it happened?” asked another.
“While bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days,” said Ian McShane, VP of strategy at the security company Arctic Wolf in response to the news. “Whatever the case, this incident is not a good look for Twitter after a tumultuous few months.”