Hacker selling millions of Twitter users' data for £25,000 on the Dark Web

Cyber Crime29 Nov 2022

Twitter has generated much interest worldwide ever since Elon Musk announced his intention to acquire it. However, the platform is in the news this time for an entirely different reason.A cybercriminal is reportedly selling the data of over five million Twitter users on a cybercriminal forum for at least £25,000. The scraped data contains users’ account IDs, email addresses, and phone numbers.It is being reported that the hacker gained access to the data by exploiting a year-old vulnerability that enables anyone to obtain any user’s Twitter ID and other information without undergoing authentication checks.The vulnerability was identified in January this year when HackerOne reported that it allowed a threat actor to acquire phone numbers and email addresses associated with Twitter accounts even if the user hid these fields in their accounts’ privacy settings.The report was submitted by a HackerOne user calling himself “zhirinovskiy” on January 1. He described that this vulnerability could cause serious threats if hackers exploited this bug which was specifically meant for Twitter’s Android client and occurred with Twitter’s Authorisation process.“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.“The bug exists due to the process of authorisation used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” Zhirinovskiy said.As Zhirinovskiy predicted, a hacker, going by the username “devil” in underground forums, is now selling the Twitter database on Breached Forums for at least £25,000. “Devil” claims that the database includes details of “Celebrities, Companies, randoms, OGs, etc.”In addition to the 5.4 million records available for sale, another 1.4 million Twitter profiles for suspended users have been collected using a different Twitter application programming interface (API), making it a total of almost 7 million Twitter profile users being impacted.The owner of the Breached hacking forum, Pompompurin confirmed that the second trove of data was not sold but was shared privately among a few people.The news of this massive data leak was brought to light by security expert Chad Loder, whose account has now been suspended from the social media platform. Before this suspension, Loder tweeted, “I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and the US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”Commenting on the news, Ed Williams, EMEA Director of SpiderLabs at Trustwave, said, “API (Application Programmer Interface) security appears to be one of the most underestimated areas of cyber security. APIs allow computers to communicate with one another, and accounts for ~80% of all the traffic that traverses the Internet. In short, APIs are very important and should be treated as such.“Yet, we still see common security-related issues around APIs; most notably authentication (or lack of) based issues, a lack of resource and rate limiting, and generic API security misconfigurations like TLS, error handling, and logging. We know from recent data breaches that a combination of these can yield significant amounts of personal data.“APIs, like all other forms of Internet-facing infrastructure, should be hardened from a security perspective, this can be achieved through appropriate threat modeling, security design, and focused Penetration Testing.“It’s also important to consider APIs in terms of asset management, all too often APIs have been compromised without the client knowing the API existed in the first place. To be able to secure something, you must first know you have it or intend to have it,” Williams added.