Twitter has recognized that the social network of microblogging has been the victim of a data breach through which leaked the details of 5.4 million user accountsincluding phone numbers. Email accounts have also been leaked, and while this is not very serious at first, it does give malicious actors the possibility of carrying out spam campaigns or trying brute force attacks (trying passwords one by one). one until you find the right one).
The origin of the breach was detected or at least published by HackerOne a few months ago, more specifically on January 1 of this year. The Restore Privacy medium explains that the malicious actor exploited a vulnerability that was present in the Twitter application for Android and gained access to obtain the data of 5.4 million accounts. On top of that, the database that contained them is being sold since yesterday through a well-known forum hackingBreached Forums, priced at $30,000.
It is worth mentioning that the user who is selling the database uses ‘devil’ as a nickname and explains the origin of the product in the “twitter incompetence”, implying that those responsible for the social network have not done their homework properly when it comes to protecting the data of their users.
‘zhirinovskiy’, the HackerOne user who reported the vulnerability in the Twitter app for Android on January 1, explained that “this is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but rather any attacker with a basic understanding of scripting/coding can enumerate a large portion of the Twitter user base which is not available for pre-enumeration (create a database with phone/email connections to username). Such databases can be sold to malicious parties for advertising purposes or to identify celebrities in various malicious activities.”
Twitter, for its part, took five days to respond, possibly because it took its time to verify the information posted by ‘zhirinovskiy’. After acknowledging the bug and working on a patch to correct the vulnerability, the company rewarded the HackerOne user with $5,040.
As we have already said, among the leaked data there are phone numbers and email addresses, which have been obtained even if the user has marked them as hidden. Among the affected accounts, according to ‘devil’, there are some belonging to celebrities and companies. The owner of Breach Forums has verified the authenticity of the leak and that it originated from the vulnerability posted on HackerOne.
As a precautionary measure, from MuyComputer we strongly recommend changing the password to access Twitter and the email if it is not particularly strong (if a manager is used, your thing would be to change it yes or yes). The phone number is not that fixable, so in extreme cases it would be advisable to change it if a lot of suspicious activity is detected (such as being spammed or harassed by phone).
