A hacker claims to have the phone numbers and mail addresses of 5.4 million Twitter users. The database is on sale for $30,000.

Yesterday, a threat actor identified as ‘devil’ offered a database on a hacking forum, claiming the database contains the information of 5.4 million Twitter accounts. The contents of the database have not been verified.

“Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. 5485636 users, to be exact”, the post says. “These users range from Celebrities to Companies, randoms, OGs, etc.”

An old flaw?

A report by RestorePrivacy said that the flaw exploited to collect the data is the same one disclosed by HackerOne to Twitter on January the 1st. The flaw was fixed on January the 13th.

“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number or email even though the user has prohibited this action in the privacy settings”, said HackerOne at the time.

‘Devil’, the creator of the forum post, denied any affiliations with HackerOne in a statement released to website BleepingComputer.

Public but problematic

Hackers abused the vulnerability by inputting email addresses and phone numbers to extract account IDs. Equipped with these IDs, they most likely scraped all remaining public data to establish user profiles.

This vulnerability is comparable to the method with which hackers grabbed the Facebook account data of 533 million users last year. Even though the majority of the data being sold is public information, threat actors can utilize the email addresses and phone numbers in targeted phishing attempts.

As a result, all Twitter users should be cautious when getting emails from Twitter, notably those requesting login credentials.