Twitter acknowledged that the social network microblogging became a victim of a data breach through which details of 5.4 million user accounts leakedincluding phone numbers. Email accounts have also been leaked, and while this may not be too serious at first, it gives malicious actors the ability to run spam campaigns or try brute-force attacks (trying passwords one by one). don’t care until you find the right one) .
The origin of the breach was revealed or at least published by HackerOne a few months ago, specifically on January 1st of this year. Restore Privacy Media explains that a malicious actor exploited a vulnerability that was present in the Twitter app for Android and gained access to obtain the data of 5.4 million accounts. In addition, there is a database that contained them sold as of yesterday through a well-known forum crochetBroken forums, cost $30,000.
It is worth noting that the user who sells the database uses “devil” as a nickname and explains the origin of the product in “inability to twitter”, which suggests that those responsible for the social network have not done their homework properly when it comes to protecting their users’ data.
‘zhirinovskiy’, a HackerOne user who reported the vulnerability in the Twitter Android app on January 1st, explained that “this is a serious threat because people can not only find users who have limited ability to be found by email/phone number. , but rather any attacker with basic scripting/coding knowledge can enumerate a large portion of Twitter’s user base which is not available for pre-enumeration (create a database with a phone/email connection to the username). Such databases can be sold to malicious parties for advertising purposes or to identify celebrities in various malicious activities.”
Twitter took five days to respond, possibly because it took the time to verify the information posted by “Žirinovsky”. After confirming the bug and working to fix the vulnerability, the company rewarded HackerOne users with $5,040.
As we said before, among the leaked data are phone numbers and email addresses that were obtained even if the user marked them as hidden. Among the affected accounts are some belonging to celebrities and companies, according to the “devil”. The owner of Breach Forums has verified the authenticity of the leak and that it comes from a vulnerability posted on HackerOne.
As a precaution, MuyComputer strongly recommends changing the password for accessing Twitter and email, if it is not too strong (if the manager is used, it must be changed yes or yes). The phone number is not so fixed, so in extreme cases it would be advisable to change it if a lot of suspicious activity (such as spam or phone harassment) is detected.
