Twitter corrects a bug that allowed a hacker to steal information from 5.4 million accounts

Twitter corrects a flaw in its software that allows a hacker called “Satan” to steal phone numbers and email addresses from 5.4 million accounts they sold for $30,000 per account on the dark web.

  • A bad actor arrived at Twitter through a zero-day exploit
  • The zero-day vulnerability is a software flaw unknown to the parties responsible for the site
  • The vulnerability allowed them to scrape information, including phone numbers and emails, and offer 5.4 million accounts for sale on the dark web.

Twitter exposed a zero-day exploit that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021, now patched as of Friday.

The zero-day vulnerability is a software flaw unknown to the parties responsible for the site and it lives an open window for those lurking in the backend of the site.

The flaw allowed a hacker known as ‘devil’ to scrape Twitter and collect phone numbers and emails linked to millions of accounts belonging to ‘celebs, companies and random people’, according to a dark web hacker post that says the group was due to a ‘Twitter incompetence’.

The fix comes too late, as the hacker actually uploaded data to the dark web and was selling accounts for $30,000 per account — and it’s unclear how many accounts were purchased, BleepingComputer reports.

Scroll down for the video

Twitter has patched a flaw in its software that allows a hacker to collect phone numbers and email addresses associated with 5.4 million accounts.

Twitter revealed in a security advisory on Friday: “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to learn about the email or phone number associated with an account, or if they knew the email Or someone’s phone number, they can identify their Twitter account, if one exists.

This error was caused by an update to our code in June 2021. When we found out, we investigated and fixed it immediately. At the time, we had no evidence to suggest that someone had exploited the vulnerability.

Twitter told BleepingComputer that it is aware of who some of the users affected are and is sending notifications to these individuals informing them that their phone number or email address has now been hacked.

However, our social media platform does not say how many users have fallen victim.

The fix comes too late, as the hacker had already uploaded data to the dark web and was selling accounts for $30,000 per account - it's unclear how many accounts were purchased

The fix comes too late, as the hacker had already uploaded data to the dark web and was selling accounts for $30,000 per account – it’s unclear how many accounts were purchased

At this time, Twitter tells us that they cannot determine the exact number of people affected by the breach. No passwords are collected by “Satan”, so accounts will not be stolen.

Twitter urges users to create two-factor authentication on their accounts to prevent anyone from wrongly gaining access to their account.

The Twitter advisor warned: “We are publishing this update because we are unable to confirm every account potentially affected, and we are particularly aware of people with pseudonymous accounts who could be targeted by the state or other actors.”

Graham Evan Clark was responsible for the global hack of Twitter in 2020

Graham Evan Clark was responsible for the global hack of Twitter in 2020

This attack, while massive, did not make as much noise as the global hack which suggests that the hijacked accounts belong to notable personalities such as Bill Gates, Barack Obama and Bill Gates.

The July 15, 2020 hack, the largest in Twitter history, took over the accounts of celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian.

Messages spread from popular accounts telling followers to send Bitcoin payments to email addresses, scamming more than $180,000 unsuspecting victims in the process.

A hacker who identified himself as ‘Kirk’ and is believed to be Graham Evan Clark claimed to be a Twitter employee and said he could ‘reset, swap and control any Twitter account as he liked’ in exchange for cryptocurrency payments, according to court papers. Clark, who was convicted as a young offender — he was 17 at the time — petitioned for three years in prison.

Ads

Related Posts

Leave a Reply

Your email address will not be published.