On July 25, 2022, it was reported that the data of 5.4 million Twitter users had been put up for sale. The database was created by combining publicly available information with users’ phone numbers and email addresses, which were obtained through the exploitation of a security vulnerability. The hacker valued the database at $30,000.

According to Bleeping Computer, the hacker known as “devil” claimed that the dump contains information on a variety of accounts, including celebrities, companies, and random users. The hacker confirmed to journalists that the data was collected in December 2021 using a vulnerability first reported by security experts at Restore Privacy. This vulnerability was fixed in early January of this year, and a report about it can be found on HackerOne.

How the Vulnerability Worked

The vulnerability allowed anyone, without authentication, to find out the Twitter ID (which is almost equivalent to the account’s username) of any user through their phone number or email address—even if the user had restricted this in their privacy settings. According to a report by the user “zhirinovskiy,” the flaw was related to the authorization process used in the Twitter Android client, specifically in the duplicate account checking process.

Devil emphasized that he is not acquainted with zhirinovskiy and that his exploitation of the vulnerability was not directly related to the HackerOne report. The hacker confirmed that by using an email address or phone number, it was possible to determine if it was linked to a Twitter account and then obtain the account’s ID. With this identifier, devil apparently extracted other publicly available data to create user profiles.

Comparison to Previous Data Leaks

It’s worth noting that in 2021, a similar method was used to compile a dump containing information on 533,313,128 Facebook users.

Twitter’s Response and Data Verification

Twitter has not officially confirmed the leak but assured the media that they are already investigating the incident. The company also reiterated that the vulnerability discovered last winter has long since been fixed.

Journalists from Bleeping Computer independently verified the data of some Twitter users included in the sample provided by the hacker. They found that the personal information (email addresses and phone numbers) was accurate.

Current Status of the Sale

Interestingly, according to DLBI, the sale listing has already been removed, and the seller’s contact on Telegram is inactive.

* Facebook is blocked in Russia and belongs to Meta, which is recognized as an extremist organization and banned in the Russian Federation.