Twitter fixes software vulnerability that allows hacker to steal information from 5.4 million accounts

Twitter is patching a vulnerability in its software that allowed a hacker called “the devil” to steal phone numbers and email addresses from 5.4 million accounts they sold for $30,000 each on the dark web.

  • An attacker gained access to Twitter through a zero-day vulnerability
  • A zero-day vulnerability is a software vulnerability that the parties responsible for the site do not know about.
  • The vulnerability allowed them to collect information, including phone numbers and emails, and put 5.4 million accounts on the dark web up for sale.

Twitter exposed a zero-day vulnerability that allowed an attacker to list 5.4 million account profiles in December 2021, now patched as of Friday.

A zero-day vulnerability is a software vulnerability that the parties responsible for the site are unaware of, and which is an open window to those hiding in the back end of a website.

The vulnerability allowed a hacker known as “the devil” to purge Twitter and collect phone numbers and emails associated with millions of accounts that belonged to “celebrities, companies and random people,” according to a dark web post by the hacker, which says the collection was due to for “Twitter’s incompetence”.

The fix comes too late as the hacker had already uploaded the data to the dark web and was selling accounts for $30,000 each – it’s not clear how much was bought. BleepingComputer reports.

Scroll down for video

Twitter has patched a vulnerability in its software that allowed a hacker to collect phone numbers and email addresses associated with 5.4 million accounts.

Twitter revealed in security consultant Friday: “In January 2022, through our bug bounty program, we received a report of a vulnerability that allowed someone to identify the email address or phone number associated with an account, or if they knew the person’s email address or phone number , they could identify him on Twitter. account, if one exists.

“This bug was introduced as a result of an update to our code in June 2021. When we found out about this, we immediately investigated and fixed it. At the time, we had no evidence that anyone had exploited the vulnerability.”

Twitter told BleepingComputer that it knows who some of the users who were hacked are and is sending notifications to those individuals to let them know that their phone number or email address has now been compromised.

However, the social media platform does not know how many users have been affected.

The fix comes too late as the hacker had already uploaded the data to the dark web and was selling accounts for $30,000 each - it's not clear how much was bought.

The fix comes too late as the hacker had already uploaded the data to the dark web and was selling accounts for $30,000 each – it’s not clear how much was bought.

Twitter is currently telling us that it cannot determine the exact number of people affected by the hack. No passwords have been collected by the “devil” so no accounts will be stolen.

Twitter encourages users to set up two-factor authentication on their accounts so that no one can gain unauthorized access to their account.

“We’re posting this update because we can’t verify every account that has been potentially affected, and are especially vigilant about people with pseudonymous accounts that could be targeted by governments or other entities,” Twitter warned.

Graham Ivan Clark was responsible for the global Twitter hack in 2020.

Graham Ivan Clark was responsible for the global Twitter hack in 2020.

This attack, although large, did not create as much buzz as the global hack, which hacked into accounts belonging to such famous people as Bill Gates, Barack Obama and Bill Gates.

The July 15, 2020 hack, the largest in Twitter history, also took over the accounts of celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian.

Messages were published from known accounts inviting subscribers to send bitcoin payments to email addresses, resulting in more than $180,000 swindled from unsuspecting victims.

According to court documents, a hacker who identified himself as “Kirk”, believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “dump, change and control any Twitter account at will” in exchange for cybercurrency payments. Clark, convicted as a juvenile delinquent (at the time aged 17), applied for a three-year prison sentence.