Cybersecurity specialist “zhirinovskiy” reported disclosed a Twitter vulnerability on the HackerOne community in January. The user went into great detail on the operation of the log-in pipeline vulnerability and how simple it was to carry out in just a few steps. The most important lesson learned was that a malevolent party may discover the associated Twitter account simply by utilizing a phone number or email address. The Android app for Twitter contained the bug.
About two weeks later, a Twitter official acknowledged that the problem had been resolved and gave zhirinovskiy a bug bounty payment of $5,040 in exchange for helping to identify and resolve the “legitimate security vulnerability” (via Restore Privacy ). The fix, though, came too late. Restore Privacy claims that a malicious user going by the handle “devil” has already taken use of the security hole to scrape the information from 54,85,636 Twitter accounts.
The stolen information was subsequently put up for sale on the infamous Breached Forums dark web hacker forum. The hacker stated in his post that “These users span from Celebrities, to Companies, to Randoms, to OGs, etc” (via Restore Privacy). The hacker and the specialists at Restore Privacy both confirmed the veracity of the data. It’s interesting to note that the hacker only asked for $30,000 to obtain the information from more than 5.4 million Twitter accounts.