Twitter data breach exposes 5.4 million accounts. Hacker is offering the data for $30k

Are you a Twitter user? If yes, read on.

Just recently, Twitter confirmed that they had a data breach in which the hacker was able to obtain contact details of as many as 5.4 million users. These contact details were reportedly offered for sale, by someone who called himself ‘devil’, for US $30,000 on a hacking forum. He claims that the dataset includes details “from Celebrities, to Companies, randoms, OGs, etc.”

Source: RestorePrivacy

The breach revealed the phone numbers and email addresses tied to the Twitter handles. That means that even if you hid these in your privacy settings, the hacker would have been able to get to it too.

Twitter knew about the vulnerability and fixed it!

As early as January of this year, Twitter was already informed of the vulnerability. A user named zhirinovskiy reported the threat on HackerOne, “a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers” according to Wikipedia. Part of zhirinovskiy’s report goes as follows:

“This is a serious threat, as people can not only find users who have disbaled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities. Short: this can lead to a loss of privacy for many users.”

Twitter investigated the issue, acknowledged the vulnerability, fixed it, and even paid zhirinovskiy a bounty.

However, it appears that even before the vulnerability was patched, it was already exploited.

Bleeping Computer reports that “two different threat actors purchased the data for less than the original selling price and that the data would likely be released for free in the future.”

What can we do?

I am a Twitter user and I have more than one handle. So, of course, I am concerned. What can someone with this information do with it? Twitter is not the first social media platform to experience a data breach. Others before it have been breached too. It is a constant risk for anyone who is online.

Twitter is said to be informing impacted users so if you do not get any email from Twitter, I guess it is safe to assume you are not one of the accounts compromised.

While no passwords were exposed, according to Twitter, it strongly recommends that its users enable 2-factor authentication (2FA) and to use third-party authentication apps or hardware security keys to protect against unauthorized logins.

Since it appears that some threat actors have already purchased the dataset, be aware that in the future, there could be wider phishing attempts to steal your Twitter login credentials. Always check your email for any reports of attempts to access your Twitter account or change the email address associated with it. Whenever you see any signs of intrusion attempts, immediately change your password and make it a very strong one.

I have 2FA enabled for some time already so I am crossing my fingers that it should be enough for now. But of course, vigilance will be needed.

 

Tita Jane

Tita forever, geek forever!!! Loves gadgets more than clothes... First introduced to IT via punched cards and COBOL programming... IT auditor for over 5 years... IT consultant covering the financial industry for over 7 years... Now, a blogger and social media practitioner...and still covering the IT world, among other interests. And proud that all my kids are geeky as well. ~ Tita Jane Uymatiao

Leave a Reply

Your email address will not be published. Required fields are marked *