Threat actor “devil” is selling a database containing 5.49 million Twitter users’ sensitive information on Breached Forums.
Restore Privacy reported that Breached Forums’ owner verified the leak’s authenticity and confirmed the data was extracted using the vulnerability disclosed by HackerOne user zhirinovskiy.
The hacker told RestorePrivacy that he was asking at least $30,000 for the information, which included email addresses and phone numbers of users ranging from celebrities, companies, and average users.
“We downloaded the sample database for verification and analysis,” RestorePrivacy said.
“It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.”
“All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter,” RestorePrivacy reported.
At the start of January 2022, zhirinovskiy disclosed a severe security vulnerability that could let bad actors access the phone numbers and email addresses associated with Twitter accounts.
“The vulnerability allows any party without any authentication to obtain a Twitter ID of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings,” said zhirinovskiy’s HackerOne post.
“The bug exists due to the process of authorisation used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
Six days after the disclosure, Twitter staff closed the issue and marked it resolved, rewarding zhirinovskiy with $5,040.
Since the report, the threat actor has removed the advertisement, Security Affairs reported.