In case you haven’t been closely following in-depth hacker news feeds (and we don’t blame you if you haven’t), you may have missed an announcement in January from HackerOne detailing a security vulnerability in the Twitter code. The vulnerability let hackers steal phone numbers and emails of users.
Well, a list of millions of Twitter users just showed up for sale on the dark web.
Restore Privacy, a security and privacy watchdog, reported the list of 5.4 million Twitter user emails and phone numbers for sale on a dark web site called Breached Forums. The hacker selling the list claims it contains the private data of “Celebrities, to Companies, randoms, OGs, etc.”
The vulnerability found in January and the sale of personal datasets from Twitter are too closely linked to be mere coincidence.
In January, HackerOne user zhirinovskiy submitted a bug report he had found while analyzing Twitter’s codebase. It was an exploit that could potentially allow a threat actor to access the emails and phone numbers of Twitter users. Although there was no sign of a data breach at the time, zhirinovskiy was concerned.
“This is a serious threat,” zhirinovskiy said in his bug report. “As people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections).”
“Thank you for your report @zhirinovksiy,” a Twitter employee named bugtriage_simon replied to the report. “We’re looking into this and will keep you updated when we have additional information. Thank you for thinking of Twitter security.”
The reply came on January 6, five days after zhirinovskiy posted his report.
On January 13, Twitter closed the report and commented: “We consider this issue to be fixed now. Can you please confirm?”
“I can confirm the issue is fixed,” zhirinovskiy replied the same day. Twitter rewarded him for his efforts.
Judging from the exchange of comments on the initial bug report, it took nearly two weeks for Twitter to fix the vulnerability. At some point, a threat actor snuck in and stole 5.4 million datasets. Whether it was done before zhirinovskiy discovered the exploit or after he had posted it remains unknown. What is known is those emails and phone numbers are now for sale.
If your data was included in the breach, you can expect to receive an uptick in spam emails and scammer calls. We recommend using Apple’s Hide My Email if you have iPhone. Also, check out our tips for increasing your online privacy.
