A Twitter vulnerability identified in January was exploited to gain access to phone and email data from 5.4 million users.
This data set is now being sold on a popular hacking forum for R490,000.
Back in January, a report of a Twitter vulnerability was made on the HackerOne forum. The HackerOne forum exists as a platform for coordinating what is known as “bug bounties”.
This is a strategy used by many large companies that offer rewards to individuals who identify security vulnerabilities and bring them to the company’s attention without taking advantage of them.
This vulnerability involved the Twitter Android client’s authorisation process. It could be used to collect the phone numbers and / or email addresses connected to Twitter usernames.
As the user who found the exploit and made the original report states, this could be used to target specific users - whether that is revealing their identity or using the sensitive information for harassment.
Five days after the report was first posted, Twitter replied on the HackerOne forums, acknowledging the exploit to be a “valid security issue”.
After further investigation, Twitter said they were working on a fix and awarded the user with a $5040 bounty, or almost R83,000.
On July 21, the internet privacy platform RestorePrivacy reported seeing Twitter data for sale on Breached Forums. This infamous hacking forum is the same as the one which gained international attention in July for hosting the sale of a data breach from over 1 billion Chinese citizens.
The owner of Breached Forums subsequently verified the leak and that the data was collected using the same exploit previously reported on HackerOne. The data set includes phone numbers, email addresses and usernames for 5.4 million Twitter users.
RestorePrivacy reached out to the user back in July and found out the minimum asking price for the data was $30,000 or R490,000 at the time.
It is unclear at what stage the illicit data collection occurred between the initial HackerOne report, Twitter’s acknowledgement, and the data going up for sale.
But now, in August, Twitter has released a statement regarding the leak, saying that they would contact all account owners involved.
IOL Tech