Security News > 2022 > July > Hacker selling Twitter account data of 5.4 million users for $30k
Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000.
"Hello, today I present you data collected on multiple users who use Twitter via a vulnerability.," reads the forums post selling the Twitter data.
As first reported by Restore Privacy, the vulnerability used to collect the data is the same one disclosed to Twitter through HackerOne on January 1st and fixed on January 13th. "The vulnerability allows any party without any authentication to obtain a twitter ID of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings," reads the vulnerability disclosure by security researcher 'zhirinovskiy.
The hacker told us that you could feed email addresses and phone numbers to the vulnerability to determine if it is associated with a Twitter account and retrieve that account's ID. Armed with this Twitter ID, they likely scraped the rest of the public data to create a user profile for the user.
BleepingComputer verified with some of the Twitter users listed in a small sample of data shared by the hacker that the private information is accurate.
All Twitter users should be vigilant when receiving emails from Twitter, especially if they ask you to enter login credentials, which users should only be done on Twitter.com.