Threat actors exploited a vulnerability on Twitter to create a database of phone numbers and email addresses belonging to 5.4 million accounts. The data is now being sold for $30,000 on a hacker forum.
Yesterday, a threat actor known as the ‘devil’ stated on a stolen data market that the database contains information about various accounts, including celebrities, businesses, and random users.
“Hello, today I’ll present data collected on multiple Twitter users through a vulnerability. (5485636 users in total).” said the forum post about selling Twitter data. “These users range from celebrities to businesses, randoms, OGs, and so on.”
Security researcher ‘Zhirinovsky’ has disclosed that this vulnerability allows any party without any authentication to obtain a Twitter ID of any user by submitting a phone number or email even though the user has prohibited this action in the privacy settings of the vulnerability disclosure.
Threat actors exploited a similar vulnerability in 2021 to scrape the Facebook account information of 533 million users.
Source: bleepingcomputer.com, Ziroh Alert (#ZirohAlert)