Twitter launches probe after miscreants claim to have swiped 5.4m users' details

Twitter is investigating claims that a near-seven-month-old vulnerability in its software has been exploited to obtain Twitter account IDs linked to phone numbers and email addresses of a reported 5.4 million users. 

A miscreant using the handle "devil" claims to have siphoned the details and is selling it all on a cyber-crime forum, according to RestorePrivacy, a digital privacy advocacy group that first reported the security breach. It's said that the info belongs to celebrities, companies, ordinary netizens, and accounts with highly desirable usernames.

"We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question," a Twitter spokesperson wrote in an email to The Register. 

The statement also noted the exploited bug was reported through Twitter's bug bounty program and fixed in January. 

"We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability," the spokesperson said. "As always, we're committed to protecting the privacy and security of the people who use Twitter. We're grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this."

The Twitter spokesperson did not respond to The Register's questions about whether the owners of the accounts in question have been notified, and what the company is doing to mitigate the issue.

• Judge approves Twitter's request to hurry along Musk trial to October
• Walmart-controlled flight booking service suffers substantial data leak
• 1.9m patient records exposed in healthcare debt collector ransomware attack
• National data privacy law for the US clears first hurdle

A HackerOne user, zhirinovskiy, disclosed the privacy flaw, which lies in the authorization process in Twitter's Android client, on New Year's Day. Essentially, an oversight in the software's design could be abused to harvest Twitter IDs from the email addresses and phone numbers registered with those accounts, even if users had chosen not to reveal this info.

That could be used to unmask pseudonymous users: if you have their contact details, and suspect they are running a Twitter account, you could use the API-level flaw to find out who they are tweeting as. That would be useful to nation states and organizing seeking to out those running accounts they perceive as a problem.

"This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections)," zhirinovskiy wrote at the time.

"Such bases can be sold to malicious parties for advertising purposes, or for the purposes of [targeting] celebrities in different malicious activities," the bug hunter added. "Also a cool feature that I [discovered] is that you can even find the id's of suspended Twitter accounts using this method."

Twitter paid zhirinovskiy a $5,040 bounty for the discovery, and fixed the vulnerability on January 13.

Last week, however, RestorePrivacy said it found a database mapping contact details to handles for sale on Breached Forums, analyzed the the samples, and confirmed that they matched "real-world people that can be easily verified with public profiles on Twitter."

The organization also reached out to Devil, the seller, who said they wanted $30,000 for the information obtained via "Twitter's incompetence." ®

Bootnote

Speaking of Twitter, Elon Musk – the tech tycoon accused of trying to wriggle out of buying the website – has denied a Wall Street Journal report that he had an affair with Nicole Shanahan, the wife of Google co-founder and Musk's friend Sergey Brin.

It's claimed Musk met Shanahan at the end of last year while she was separated from but still living with Brin. The Google billionaire has since filed for divorce and derailed his friendship with the SpaceX supremo, apparently.

"This is total BS," Musk tweeted on Sunday. "Sergey and I are friends and were at a party together last night!

"I’ve only seen Nicole twice in three years, both times with many other people around. Nothing romantic."