In January, a cybersecurity expert with the username “zhirinovskiy” reported a Twitter vulnerability on the HackerOne forum. The user explained in detail how the log-in pipeline vulnerability works and how easy it was to execute within a few steps. The key takeaway was that by just using a phone number or email address, a malicious party could find out the linked Twitter account. The flaw was found in Twitter’s Android app.
Roughly two weeks later, a Twitter employee confirmed that the issue was fixed and also awarded a bug bounty worth $5,040 to zhirinovskiy for finding and helping fix the “valid security issue” (via Restore Privacy). However, the patch arrived too late. According to Restore Privacy, a bad actor going by the username “devil” had already exploited the security flaw to scrape the data of 54,85,636 Twitter accounts.
The stolen data was then listed for sale on the notorious dark web hacking community called Breached Forums. “These users range from Celebrities, to Companies, randoms, OGs, etc.” the hacker wrote in his post (via Restore Privacy). The authenticity of the data was verified by the hacker as well as the experts over at Restore Privacy. Interestingly, the hacker demanded a paltry sum of $30,000 for the data belonging to over 5.4 million Twitter accounts.