Twitter fixes a software flaw that allows a hacker to steal information from 5.4 million accounts

Twitter fixes a flaw in its software that allows a hacker called “devil” to steal phone numbers and email addresses from 5.4 million accounts sold for $ 30,000 each on the dark web

  • A bad actor accessed Twitter through a zero-day vulnerability
  • A zero-day vulnerability is a software defect unknown to the responsible parties on the site
  • The vulnerability allowed them to gather information, including phone numbers and emails, and offer 5.4 million accounts for sale on the dark web.

Twitter revealed that the zero-day vulnerability that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021 is now fixed as of Friday.

A zero-day vulnerability is a software flaw unknown to the responsible parties of the site and is an open window for those hiding in the backend of the website.

The vulnerability allowed the hacker known as the “devil” to scrape Twitter and collect phone numbers and emails associated with the millions of accounts that belonged to “celebrities, companies and random people,” according to a post by the hacker on the dark web. which claims the collection was due to “Twitter incompetence”.

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $ 30,000 each – it’s unclear how many were purchased, BleepingComputer reports.

Scroll down for the video

Twitter fixed a flaw in its software that allowed a hacker to compile phone numbers and email addresses associated with 5.4 million accounts

Twitter revealed in a security advisory on Friday: “In January 2022, we received a bug report through our rewards program of a vulnerability that allowed someone to identify the email or phone number associated with an account. or, if they knew a person’s email or phone number, they could identify their Twitter account, if it existed. ‘

“This bug is the result of an update to our code in June 2021. When we learned about it, we immediately investigated and fixed it. At the time, we had no evidence to suggest that anyone had taken advantage of the vulnerability. ‘

Twitter told BleepingComputer that it knows who some of the users who have been affected by the hack are and is sending notifications to these individuals informing them that their phone number or email address is now compromised.

However, the social media platform is not clear to us how many users have been victims.

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $ 30,000 each - it's unclear how many were purchased

The fix comes too late, as the hacker has already uploaded the data to the dark web and was selling the accounts for $ 30,000 each – it’s unclear how many were purchased

At the moment, Twitter tells us it cannot determine the exact number of people affected by the breach. No passwords were collected by the “devil”, so accounts will not be stolen.

Twitter urges users to establish two-factor authentication on their accounts to prevent anyone from logging into their account incorrectly.

“We are releasing this update because we are unable to confirm all potentially affected accounts and we are particularly alert to people with pseudonymous accounts who may be targeted by the state or other actors,” the Twitter warning warned.

Graham Ivan Clark was responsible for a global Twitter hack in 2020

Graham Ivan Clark was responsible for a global Twitter hack in 2020

This attack, while large-scale, has not made as much noise as the global hack that hijacked accounts belong to high-profile people like Bill Gates, Barak Obama, and Bill Gates.

The July 15, 2020 breach, the largest in Twitter history, also took control of celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather, and Kim Kardashian.

Messages from popular accounts were posted telling followers to send Bitcoin payments to email addresses, scamming over $ 180,000 from unsuspecting victims in the process.

A hacker who identified himself as “Kirk,” believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “reset, swap and control any Twitter account at will” in exchange for payments in computer currency, according to court documents. Clark, who was convicted as a juvenile delinquent – he was 17 at the time – received a three-year prison sentence.

Announcement