A hacker managed to infiltrate Twitter's internal systems. In doing so, he managed to capture the e-mail addresses and phone numbers of 5.4 million Twitter users. This private data is now being offered for sale on the dark web. Twitter confirmed the data breach and is currently investigating the matter. Tech site Restore Privacy discovered the data theft.
The vulnerability exploited by the perpetrator was reported to bug bounty program HackerOne in January of this year. The vulnerability allowed anyone to obtain a Twitter ID without tremendous form of authentication, and thus effectively the username of any Twitter account. It also left e-mail addresses, phone numbers and other data up for grabs.
A few days later, Twitter acknowledged that this was a serious security problem. In recognition of the report, the discoverer was awarded a reward of just over $5,000. The leak was closed immediately. Unfortunately for millions of Twitter users, it was too late by then and someone was found to have exploited the vulnerability in the authorization process.
The attacker managed to capture e-mail addresses and phone numbers of a total of 5,485,636 Twitter users. From this data, he created a database that he then offered for sale on Breached Forums. The dark web hacker forum gained name recognition earlier this month for offering a dataset consisting of data from more than one billion Chinese people.
The for sale notice appeared on Thursday, July 21, and is still online. The seller published a sample of the stolen private data that day. This allowed security experts to determine that the data was legitimate.
Restore Privacy examined the data from the sample. It says Twitter users from all over the world were victims of the data breach. The tech site confirms that real names, location data, number of followers, profile descriptions, email addresses and phone numbers were stolen in addition to usernames. The sample did not contain passwords.
The editors of Restore Privacy contacted the hacker and asked how much he wanted for the entire database. He responded with: "Nothing less than $30,000." Further, he said the data breach was possible because of "Twitter's incompetence."
Finally, Restore Privacy contacted Twitter to ask for an explanation. In a response, Twitter acknowledged that the incident is real and the data breach actually occurred. The microblogging service would not share more details at this time, as the matter is currently under investigation.
In May, Twitter was the target of a phishing campaign. Cybercriminals targeted the login credentials of Verified Accounts. These are accounts with a blue checkmark or badge next to their username. This indicates that the account is the official account of an artist, journalist, politician or other prominent person in a particular community.
The scam went like this. Twitter users with a verified account received an e-mail saying something was wrong with their profile. They had to take immediate action to keep their account. The message contained a URL that redirected recipients to the page where they could supposedly verify their information. In reality, it was a phishing page that required Twitter users to enter their login information.
They then received a "verification code" by text message. The perpetrators combined the login information with this code to perform a password reset. In this way, victims lost control of their accounts. How many people fell for this scam is unknown.
