Cyber-Criminal Offers 5.4m Twitter Users’ Data

A database containing 5.4m Twitter users’ data is reportedly for sale on a popular criminal forum. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems reported in January.

The seller, using the nickname ‘devil,’ advertised the data on the Breached Forums site and demanded at least $30,000 for it. They said that the database contains the phone numbers and email addresses of users, including celebrities and companies.

The hack reportedly exploits a vulnerability first reported by a HackerOne user known as ‘zhirinovskiy.’ That bug enabled “an attacker with a basic knowledge of scripting/coding” to find a Twitter user’s phone number and email address, even if the user has hidden them in privacy settings. The attacker explained how to exploit the bug in their HackerOne report. Twitter acknowledged the bug and fixed it five days later.

The sale was first reported by RestorePrivacy, which has also downloaded and verified the dataset. Twitter told the publication that it is investigating the situation but provided no other information.

Twitter users are unhappy that the company has apparently failed to notify them of the breach. One said: “Weird your users haven’t been notified by you yet. Two words come to mind Class Action. In my state you have 36 hours to report this.”

“TWITTER: Why did you not announce this when it happened?” asked another.

“While bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days,” said Ian McShane, VP of strategy at the security company Arctic Wolf in response to the news. “Whatever the case, this incident is not a good look for Twitter after a tumultuous few months.”

Source

A database containing 5.4m Twitter users’ data is reportedly for sale on a popular criminal forum. Twitter is investigating the issue, which the seller said exploited a vulnerability in its systems reported in January.

The seller, using the nickname ‘devil,’ advertised the data on the Breached Forums site and demanded at least $30,000 for it. They said that the database contains the phone numbers and email addresses of users, including celebrities and companies.

The hack reportedly exploits a vulnerability first reported by a HackerOne user known as ‘zhirinovskiy.’ That bug enabled “an attacker with a basic knowledge of scripting/coding” to find a Twitter user’s phone number and email address, even if the user has hidden them in privacy settings. The attacker explained how to exploit the bug in their HackerOne report. Twitter acknowledged the bug and fixed it five days later.

The sale was first reported by RestorePrivacy, which has also downloaded and verified the dataset. Twitter told the publication that it is investigating the situation but provided no other information.

Twitter users are unhappy that the company has apparently failed to notify them of the breach. One said: “Weird your users haven’t been notified by you yet. Two words come to mind Class Action. In my state you have 36 hours to report this.”

“TWITTER: Why did you not announce this when it happened?” asked another.

“While bug bounties are great for finding vulnerabilities, it is still down to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historic activity to find evidence of exploration, otherwise they risk being publicly embarrassed just like Twitter over the last few days,” said Ian McShane, VP of strategy at the security company Arctic Wolf in response to the news. “Whatever the case, this incident is not a good look for Twitter after a tumultuous few months.”

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!