Last August, Twitter disclosed a vulnerability that allowed users to enter a phone number or email address into the log-in page and get information relating to existing Twitter accounts. Now we know that this API vulnerability allowed malicious actors to collect the private data of 5.4 million users. First reported by Restore Privacy, the vulnerability used to collect the data is the same one disclosed to Twitter through HackerOne in January 2022. HackerOne member, “Zhirinovsky”, described it in the following terms:
“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.
The vulnerability was said to have been exploited in December 2021 to collect the 5.4 million users’ data, and last July threat actors began selling private information on a hacking forum for $30,000. According to a new report from BleepingComputer, the 5.4 million user records (containing the data) have been shared for free on a hacker forum. In addition, the data of 1.4 million suspended Twitter profiles has now been shared privately.
The authors of the report reached out to Pompompurin, owner of Breached hacking forum. He claimed that “they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as ‘Devil’ shared the vulnerability with them.” There are fears now that an even larger data dump (of 17 million users’ data) could be leaked. At the time of writing, Twitter has not yet confirmed the additional data that, allegedly, has also been collected.
What You Should Do
Leaked personal information can be used for phishing attacks and other scams — so be wary of any suspicious emails or texts, especially ones claiming to come from Twitter. It is strongly recommended that you turn on two-factor authentication (2FA), if you haven’t already.
Additionally, criminals will often use leaked phone numbers to send people smishing (SMS phishing) scams. These text message scams will most likely claim that there is an urgent problem you need to resolve — an issue with the security of your bank account, for example — and instruct you to click on a link. Such links lead to malicious websites designed to harvest your information or steal your money and/or identity. If you’re a Twitter user, be alert to such scams.
We would recommend downloading our complimentary scam detection tool, Trend Micro ScamCheck. It’ll keep you safe so you don’t have to worry about getting tricked. ScamCheck is an all-in-one browser extension and mobile app for detecting scams, phishing attacks, malware, and dangerous links — and it’s FREE!
After you’ve pinned the ScamCheck extension, it will block dangerous sites automatically! (Available on Safari, Google Chrome, and Microsoft Edge).
You can also download the ScamCheck mobile app for 24/7 automatic scam and spam detection and filtering. (Available for Android and iOS).
Check out this page for more information on ScamCheck.
If you’ve found this article an interesting and/or helpful read, please do SHARE it with friends and family to help keep the online community secure and protected. And don’t forget to leave a like and a comment!