Your Twitter account in danger: for sale millions of users

As much as we protect our online accounts (with random usernames and passwords, double authentication, etc.), it is impossible to achieve full protection. Although we think we have everything under control, we cannot control the security of the servers where our data is stored. And it is precisely here that hackers attack the most. Although the Internet giants spend billions on cybersecurity, a gap always ends up appearing through which they manage to jeopardize the security of all their users. And the latest to fall into the clutches of hackers has been Twitter.

This weekend it was revealed a huge security breach through which a hacker, under the pseudonym “devil”, has managed to get hold of the data of more than 5.4 million Twitter users. To do this, this cybercriminal has taken advantage of a vulnerability very similar to the one that affected Facebook in 2021 and that allowed the theft of 533 million user accounts.

The security flaw allows (or rather allowed) an attacker to obtain the unique ID of any Twitter user without the need for any authentication. Once the ID is obtained, it is possible to use it to send information, such as the phone number or email, and to know if it corresponds to the user’s ID. Twitter returns the match even if the user had the social network’s privacy set to hide this information.

This data can be used for various purposes. For example, they can be used to carry out other phishing attacks against certain users, or as additional information to recover the password of any account.

Is it real data?

The data was collected by the hacker in December 2021, as the vulnerability was reported to Twitter on January 1, and fixed on January 13. Now, 7 months later, the hacker has put For sale this database for $30,000. But how can we know if they are real?

At the moment, Twitter has not made a statement in this regard, so there is still no official information about the sale of the data. However, the hacker has provided the Bleeping Computer portal with a small sample of the stolen data (with emails and phone numbers), and they claim that the data is authentic. Another thing is that all the data of the 5.4 million compromised users is, something that is already more complicated. In addition, the list, for now, is not available on platforms such as haveibeenpwned, so we cannot check if we are, or not, inside this database.

Be that as it may, we must take extreme precautions, and be very attentive to possible messages, calls or emails that may try to deceive us. Although the passwords do not seem to have been affected, we must also be aware of any possible suspicious activity in our account (new followers, messages published without permission, etc), and, if we detect anything strange, change the password and review all the security options.

Related Articles

Leave a Reply

Your email address will not be published.