Twitter fixes a software flaw that allows a hacker to steal information from 5.4 million accounts

Twitter is fixing a flaw in its software that allowed a hacker named ‘devil’ to steal phone numbers and email addresses from 5.4 million accounts they sold for $30,000 each on the dark website

  • A bad actor accessed Twitter through a zero-day vulnerability
  • A zero-day vulnerability is a software flaw unknown to site managers
  • The vulnerability allowed them to harvest information, including phone numbers and emails, and offer 5.4 million accounts for sale on the dark web.

Twitter revealed that the zero-day vulnerability that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021 has now been patched since Friday.

A zero-day vulnerability is a software flaw unknown to the parties responsible for the site and is an open window for those lurking in the backend of the website.

The vulnerability allowed the hacker known as “The Devil” to scrape Twitter and harvest phone numbers and emails associated with the millions of accounts belonging to “celebrities, businesses and random people”, according to a message from the hacker on the dark web that said the collection was due to “Twitter’s incompetence”.

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $30,000 each – it’s unclear how many were bought, BeepComputer reports

Scroll down for video

Twitter fixed a flaw in its software that allowed a hacker to compile the phone numbers and email addresses associated with 5.4 million accounts

Twitter leaked in a security consulting Friday: ‘In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if knew a person’s email or phone number, he could identify their Twitter account, if there was one.

“This bug resulted from an update to our code in June 2021. When we learned of this, we immediately investigated and fixed it. At that time, we had no evidence to suggest anyone had taken advantage of the vulnerability.

Twitter told BleepingComputer that it knows who some of the users affected by the hack are and is sending notifications to those people to let them know that their phone number or email address has now been compromised.

However, the social media platform does not know how many users fell victim.

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $30,000 each - it's unclear how much was bought.

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $30,000 each – it’s unclear how much was bought.

At this time, Twitter tells us that they cannot determine the exact number of people affected by the breach. No passwords were collected by “devil”, so accounts will not be stolen.

Twitter urges users to establish two-factor authentication on their accounts to prevent anyone from wrongfully accessing their account.

“We are issuing this update because we are unable to confirm all potentially impacted accounts, and are particularly mindful of individuals with pseudonymous accounts who may be targeted by the state or other actors,” the official warned. Twitter review.

Graham Ivan Clark was responsible for a global Twitter hack in 2020

Graham Ivan Clark was responsible for a global Twitter hack in 2020

This attack, while significant, did not make as much noise as the global hack that hijacked accounts belonging to figures such as Bill Gates, Barak Obama and Bill Gates.

The July 15, 2020 breach, the largest in Twitter history, also took over celebrity accounts including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian. .

Messages were posted by the famous accounts telling subscribers to send Bitcoin payments to email addresses, defrauding unsuspecting victims of over $180,000 in the process.

A hacker who identified himself as “Kirk”, believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “reset, swap and control any Twitter account at will” in exchange for cybercurrency payments, according to court documents. Clark, who was convicted as a young offender – he was 17 at the time – pleaded for a three-year prison sentence.

Advertising