A threat actor has leaked data of 5.4 million Twitter accounts last month that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.
Stolen data offered for sale on the popular hacking forum Breached Forums.
The vulnerability allows any party without any authentication to obtain a twitter ID of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.
The seller claimed that the database was containing data comprises of phone numbers of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file and asking for $30000
The owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report.
Now Twitter confirmed that the data breach was caused by the now-patched zero-day vulnerability submitted by zhirinovskiy via bug bounty platform HackerOne and awarded a bounty of $5040
The company is notifying the impacted users, it also added that it is aware of the risks caused by the security breach for those users operating a pseudonymous Twitter account to protect their privacy.
No credentials were exposed, but recommends its users to enable MFA using authentication apps or hardware security keys to protect their accounts from unauthorized logins.