Through the use of an earlier this year discovered and patched vulnerability, this data had been taken from Twitter’s databases.
Hackers were able to access the personal information of 5.4 million Twitter users thanks to a weakness in the company’s systems.According to sources, this data is available for purchase for $30,000, or Rs. 23.96 lakhs.
Back in January of this year, HackerOne revealed that a Twitter vulnerability made millions of users’ personal information—including their phone numbers and email addresses—vulnerable to anyone’s access.The vulnerability basically allows anyone to enter a phone number or email address and then discover the corresponding twitterID.What’s alarming is that even if a person has enabled privacy settings to make these facts private, they could still be accessible.
Even though the user has blocked this action in the privacy settings, the vulnerability enables any party to obtain a twitter ID (which is practically equivalent to gaining the username of an account) of any user by providing a phone number or email.The Twitter Android client’s authorization procedure, notably the step where it checks for duplicate accounts, is where the flaw is located, according to a user who uses the handle “zhirinovksiy” on the platform.The author of the post also included instructions on how to obtain proof-of-concept, or, in other words, how to duplicate the vulnerability.
At the time, Twitter referred to the vulnerability as a “legitimate security problem”.Additionally, it had given the researcher a reward of $5,040, or Rs. 4.02 lakh.
Since then, the microblogging platform has patched the problem.Nevertheless, a hacker took advantage of the flaw while it was still present on Twitter, and they are now seeking $30,000 to grant access to the information.
The hacker is reportedly selling the Twitter database on Breached Forums, according to a report by Restore Privacy (via 9To5 Mac).The report claims that the dataset include “Celebrities, to Companies, randoms, OGs, etc”. and that the post by the user name “devil” is still active on the platform.
The unscrupulous hacker also posted a sample of database data on Breached Forums, which the media independently validated.
Twitter has not yet responded to the situation.