Hacker offers 5.4 million Twitter account details for $30,000
AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A Twitter security vulnerability discovered in early 2022 has been used to delete the account details of 5.4 million users, and the hacker is offering the set for sale.
A hack of 5.4 million users is small compared to the 478 million T-Mobile customers affected in August 2021. It’s even small compared to the 70 million AT&T users affected later that same month.
Yet according to Restore Privacythe hacked data currently for sale comes from a vulnerability that was reported in January 2022. Twitter acknowledged it was a valid security issue and even paid the discoverer, “zhirinovskiy”, a $5 bounty $040.
“Exactly as HackerOne user zhirinovskiy described in the initial January report, a malicious actor is now selling data allegedly acquired from this vulnerability,” says Sven Taylor of Restore Privacy. “The message is still online with the Twitter database which is said to consist of 5.4 million users for sale.”
“The seller on the hacking forum uses the username ‘devil,’” Taylor continues, “and claims the dataset includes ‘celebrities, corporations, randoms, OGs, etc. “”
“We contacted the vendor of this database to gather additional information,” Taylor says. “Vendor is asking at least $30,000 for the database, which is now available due to ‘Twitter’s incompetence’, according to the seller.”
The vendor posted the data on the Breach Forums site. According Restore Privacythe forum owner has verified the authenticity of the leak.
A sample of the data available is included in the posting to the breach forums. It appears to display publicly available Twitter profile information alongside phone numbers and/or email addresses used to log in.
It doesn’t seem to include any passwords. Although it contains email addresses that could be used with Twitter’s “Forgot Password” feature, a bad actor should have separate access to that email account’s login password.
Therefore, the fear is less that user accounts will be compromised by bad actors, and more that data could be sold for advertisers to exploit.
Twitter has yet to comment.