Well, it’s almost like every other day Twitter is hit with a hack. But this time, your data could have been compromised too. Recently a hacker was able to exploit a vulnerability in Twitter, which gave him access to millions of email and phone numbers associated with the Twitter accounts.
Back in Jan, 2022, Twitter received a report from its Bug bounty program about a potential vulnerability. This is exactly what was exploited recently, and pertains to accounts where people had submitted an email address or phone number to Twitter’s systems. Twitter was able to quickly patch it up then, but didn’t have any knowledge of misuse in the wild. They were first notified of the leak last month, and after reviewing the data, Twitter has now confirmed the leak officially.
RestorePrivacy was also able to talk to the hacker in question, and he explained that the data was collected in December 2021, which is before the vulnerability was patched. The hacker is also looking to sell the entire leaked database of 5.4 million users for $30,000. The contents though, is very random, and includes everything from celebrities, companies, individuals, random accounts and more.
This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities
– HackerOne Report on the Vulnerability
Twitter will directly inform the users affected by the vulnerability, although they don’t have a confirmation on the actual accounts in the database yet. While this isn’t an overtly personal leak, like with passwords, this can still affect people by way of phishing or more sophisticated attacks.
You can read more about the exact nature of the vulnerability here.