Twitter has been victim of a new hack. Exploiting a vulnerability already knownwhile it was discovered in January of this year, a hacker has apparently managed to access the personal data (phone numbers and emails) of 5.4 million users.
Said data has been put up for sale in an online forum by a user called “devil”. As he assures himself in the publication, he has the data of 5,485,636 users, including celebrities, companies and other users. The sale price? $30,000. From Twitter they have confirmed to be investigating the situation, but there is no information at the moment.
A known vulnerability
As we indicated before, the vulnerability exploited by the hacker was reported (and, in principle, patched) in January. This vulnerability allowed an attacker to obtain the phone number and email address through a specific failure of the Twitter client for Android.
The crumb is that it worked even when the user had hidden such information in the privacy settings. HackerOne user “zhirinovskiy” reported the problem to Twitter and not only was it verified, but Twitter rewarded the user with $5,040.
Well, although this vulnerability had already been patched, it is the same one that “devil” has apparently used to obtain the data of 5.4 million users. Information sells for $30,000 in the same forum in which at the beginning of the month the information of a billion Chinese was being sold.
A few hours after the forum post, the forum itself verified the authenticity of the leak and the extraction method. From Restore Privacy they also claim to have validated the information using the test made available by “devil” and, indeed, the leaked data seems correct.
Be that as it may, we will have to wait for Twitter to rule and give more information about it. For now, we only know that they are investigating the matter.
Via | RestorePrivacy
Add Comment