Twitter launches an investigation after miscreants claim to have stolen 5.4m user’s details
- Post by: Irjar Jira
- July 25, 2022
- Comments off
Twitter investigates claims that a vulnerability in its software, which is almost seven months old, has been exploited to get the email addresses and phone numbers of an estimated 5.4 million users.
A miscreant using the handle “devil” claims to have siphoned the details and is selling it all on a cyber-crime forum, according to RestorePrivacy, a digital privacy advocacy group that first reported the security breach. The information is believed to belong to celebrities, companies and ordinary netizens. ” We are looking at the most recent data to verify the authenticity and ensure security of the accounts in concern,” a Twitter spokesperson said in an email to The Register . The statement also mentioned that the exploited bug had been reported to Twitter’s bug bounty program, and was fixed in January. ” We received a report about this incident several months back through our bug bounty program. We immediately investigated the matter thoroughly and then fixed the issue,” the spokesperson stated. We are committed to protecting the privacy of all users of Twitter. We are grateful to the security community that participates in our bug bounty program to identify potential vulnerabilities like this. “The Twitter spokesperson didn’t respond to The Registration ”s questions about whether owners of the affected accounts have been notified and what the company is doing in order to resolve the problem.
- Judge approves Twitter’s request to hurry along Musk trial to October
- Walmart-controlled flight booking service suffers substantial data leak
- 1.9m patient records exposed in healthcare debt collector ransomware attack
- National data privacy law for the US clears first hurdle
A HackerOne user, zhirinovskiy, disclosed the privacy flaw, which lies in the authorization process in Twitter’s Android client, on New Year’s Day. It could be used to extract the phone numbers and email addresses of users who have registered for Twitter accounts via an oversight in the software’s design. “This poses a serious threat as people can find users with restricted access to email/phone numbers. However, any attacker with a basic understanding of scripting/coding could enumerate a large portion of Twitter’s user base that was not available for enumeration (create a database with username/phone connections),” zhirinovskiy wrote back then. ” Such bases can be sold for advertising purposes or to [target] celebrities in other malicious activities,” the bug hunter said. “I also discovered a cool feature: you can use this method to find the ids of suspended Twitter accounts. “Twitter paid zhirinovskiy a $5,040 bounty for the discovery, and fixed the vulnerability on January 13. Last Wednesday, RestorePrivacy stated that it had purchased the Twitter database from Breached Forums. It then analyzed the samples and confirmed that the matches were “real-world people that are easily verified using public profiles on Twitter.” “The organization also reached out to Devil, the seller, who wanted $30,000 for the information and blamed “Twitter’s incompetence” for the leak. (r)
Bootnote
Speaking of Twitter, Elon Musk – the tech tycoon accused of trying to wriggle out of buying the website – has denied a Wall Street Journal report that he had an affair with Nicole Shanahan, the wife of Google co-founder and Musk’s friend Sergey Brin. It is claimed that Musk met Shanahan in the middle of last year, while she was living with Brin but separated. According to reports, the Google billionaire filed for divorce and ended his friendship with SpaceX chief executive Musk. “This is total BS,” Musk tweeted on Sunday. “Sergey is a friend and we were at a party last night together! ” I’ve only seen Nicole once in three years. Both times were with many people. There is nothing romantic. ”
Read More