Entertainment · August 6, 2022

Twitter fixes a bug that allowed a hacker to steal information from 5.4 million accounts

Twitter is fixing a bug in its software that allowed a hacker named “Devil” to steal phone numbers and email addresses from 5.4 million accounts that they sold for $30,000 each on the dark web

  • An attacker accessed Twitter via a zero-day vulnerability
  • A zero-day vulnerability is a software bug unknown to those responsible for the site
  • The vulnerability allowed them to scrape information, including phone numbers and emails, and put 5.4 million accounts on the dark web for sale

Twitter revealed the zero-day vulnerability that allowed an attacker to compile a list of 5.4 million account profiles in December 2021, which was now patched on Friday.

A zero-day vulnerability is a software bug unknown to website executives that presents an open window to those lurking in the website’s backend.

The vulnerability allowed the hacker known as “Devil” to scrape Twitter and collect phone numbers and emails associated with the millions of accounts owned by “celebrities, businesses and random people,” according to a post by the Hackers on the dark web the collection was due to “Twitter’s incompetence”.

The fix comes too late as the hacker has already uploaded the data to the dark web and sold the accounts for $30,000 each — it’s not clear how many were bought, BleepingComputer reports.

Scroll down for videos

Twitter fixed a bug in its software that allowed a hacker to piece together phone numbers and email addresses associated with 5.4 million accounts

Twitter announced in a security advisory on Friday: “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email address or phone number associated with an account, or, if he knew someone’s email address or phone number, they could identify their Twitter account if one existed.

“This bug resulted from an update to our code in June 2021. When we found out about it, we immediately investigated and fixed it. At the time, we had no evidence that anyone had exploited the vulnerability.

Twitter informed BleepingComputer that it knows who some of the users affected by the hack are and sends alerts to those people to let them know their phone number or email address is now compromised.

However, the social media platform is not clear on how many users have been victimized.

The fix comes too late as the hacker has already uploaded the data to the dark web and sold the accounts for $30,000 each — it's not clear how many were purchased

The fix comes too late as the hacker has already uploaded the data to the dark web and sold the accounts for $30,000 each — it’s not clear how many were purchased

At this time, Twitter tells us that they cannot determine the exact number of people affected by the breach. No passwords were collected from ‘devil’, so accounts will not be stolen.

Twitter is urging users to set up two-factor authentication for their accounts to prevent anyone from accessing their account in error.

“We are releasing this update because we cannot confirm every potentially affected account and are particularly vigilant for individuals with pseudonymous accounts that may be targeted by government or other actors,” the Twitter note warned.

Graham Ivan Clark was responsible for a global Twitter hack in 2020

Graham Ivan Clark was responsible for a global Twitter hack in 2020

While this attack was large, it didn’t make as much noise as the global hack that hijacked accounts owned by high-profile individuals like Bill Gates, Barak Obama, and Bill Gates.

The July 15, 2020 breach, the largest in Twitter history, also took over accounts from celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian.

Messages were posted by the famous accounts urging followers to send Bitcoin payments to email addresses, with more than $180,000 being stolen from unsuspecting victims.

A hacker who identified himself as “Kirk,” believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “reset, trade, and control any Twitter account at will” in exchange for cybercurrency payments, according to court filings. Clark, who was convicted as a juvenile offender – he was 17 at the time – accepted a three-year sentence.

advertisement