December 4, 2023

You may need to examine your e mail to see if Twitter believes your account acquired hacked.

Twitter has confirmed {that a} information breach allowed a hacker to realize entry to the contact particulars of as much as 5.4 million accounts.

The info – which ties Twitter handles to cellphone numbers and e mail addresses – has been provided on the market on a hacking discussion board, for $30,000.

Restore Privateness provided the next breakdown of the breach, which was made potential by a vulnerability found again in January:

A verified Twitter vulnerability from January has been exploited by a risk actor to realize account information allegedly from 5.4 million customers. Whereas Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being bought on a preferred hacking discussion board, posted earlier at this time.

Again in January, a report was made on HackerOne of a vulnerability that enables an attacker to amass the cellphone quantity and/or e mail tackle related to Twitter accounts, even when the consumer has hidden these fields within the privateness settings […]

A risk actor is now promoting the info allegedly acquired from this vulnerability. Earlier at this time we observed a brand new consumer promoting the Twitter database on Breached Boards, the well-known hacking discussion board that gained worldwide consideration earlier this month with a knowledge breach exposing over 1 billion Chinese language residents.

The put up continues to be reside now with the Twitter database allegedly consisting of 5.4 million customers being on the market. The vendor on the hacking discussion board goes by the username “satan” and claims that the dataset contains “Celebrities, to Firms, randoms, OGs, and so forth.”

The publication additionally cited two samples from the database to substantiate the authenticity of the breach:

We downloaded the pattern database for verification and evaluation. It contains folks from all over the world, with public profile data in addition to the Twitter consumer’s e mail or cellphone quantity used with the account.

All samples we checked out match up with real-world folks that may be simply verified with public profiles on Twitter.

Per HackerOne, the vulnerability allowed anybody to enter a cellphone quantity or e mail tackle, after which situated a consumer’s twitterID, which capabilities as an inner deal with utilized by Twitter that may be readily transformed to a Twitter deal with:

It is a critical risk, as folks can’t solely discover customers who’ve restricted the flexibility to be discovered by e mail/cellphone quantity, however any attacker with a primary information of scripting/coding can enumerate an enormous chunk of the Twitter consumer base unavaliable to enumeration prior (create a database with cellphone/e mail to username connections). Such bases will be bought to malicious events for promoting functions, or for the needs of tageting celebrities in several malicious actions.

Additionally a cool function that I found is that you may even discover the id’s of suspended Twitter accounts utilizing this technique.

There’s presently no sure option to examine whether or not your account was included within the information breach, and it pays to be cautious about phishing assaults, whereby the emails declare to be from a trusted company or celebration, after which ask you to log into your account.

Twitter confirmed the existence of the vulnerability, and provided the next remark to affected customers:

This bug resulted from an replace to our code in June 2021. After we discovered about this, we instantly investigated and glued it. At the moment, we had no proof to recommend somebody had taken benefit of the vulnerability. 

In July 2022, we discovered via a press report that somebody had probably leveraged this and was providing to promote the knowledge they’d compiled. After reviewing a pattern of the accessible information on the market, we confirmed {that a} unhealthy actor had taken benefit of the difficulty earlier than it was addressed.

We shall be straight notifying the account house owners we will verify have been affected by this problem. 

Please watch out on the market and keep tuned for extra particulars as they grow to be accessible.

Through 9to5Mac, Restore Privateness, HackerOne, and Twitter