Twitter patches a bug in its software that allows a hacker called the ‘devil’ to steal phone numbers and email addresses from 5.4 million accounts they sold for $30,000 each on the dark web
- A bad actor accessed Twitter through a zero-day vulnerability
- A zero-day vulnerability is a software flaw unknown to the parties responsible for the site
- The vulnerability allowed them to scrape information, including phone numbers and emails, and put 5.4 million accounts for sale on the dark web
Twitter revealed that the zero-day vulnerability that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021 has now been patched as of Friday.
A zero-day vulnerability is a software flaw unknown to the parties responsible for the site that is a live open window for those lurking in the backend of the website.
The vulnerability allowed the hacker known as “devil” to scrape Twitter and collect phone numbers and emails associated with the millions of accounts that belonged to “celebrities, companies and random people,” according to a message from the hacker on the dark. web that says the collection was due to ‘Twitters incompetence’.
The fix comes too late, as the hacker has already uploaded the data to the dark web and sold the accounts for $30,000 each – it’s not clear how many were bought, BleepingComputer reports.
Scroll down for video
Twitter patched a bug in its software that allowed a hacker to collect phone numbers and email addresses associated with 5.4 million accounts
Twitter revealed in a safety advice Friday: “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email address or phone number associated with an account or, if they knew a person’s email address or phone number, they could identify their Twitter. account, if it existed.’
“This bug was the result of an update to our code in June 2021. When we heard about this, we immediately investigated and fixed it. At the time, we had no indications that anyone had exploited the vulnerability.’
Twitter told BleepingComputer that it knows who are some of the users affected by the hack and is sending these individuals notifications informing them that their phone number or email address has now been hacked.
However, the social media platform does not make it clear to us how many users have been victimized.
The fix comes too late, as the hacker has already uploaded the data to the dark web and sold the accounts for $30,000 each – it’s not clear how many were bought
At this point, Twitter tells us they can’t determine the exact number of people affected by the breach. There are no passwords collected by ‘devil’, so accounts are not stolen.
Twitter is urging users to enable two-factor authentication on their accounts to prevent anyone from gaining unauthorized access to their account.
“We are publishing this update because we cannot confirm every account that may have been affected, and we are especially on the lookout for people with pseudonymous accounts who may be targeted by state or other actors,” the Twitter advisory warned.
Graham Ivan Clark was responsible for a worldwide Twitter hack in 2020
This attack, though massive, didn’t make as much noise as the global hack that hijacked accounts of famous people like Bill Gates, Barak Obama and Bill Gates.
The July 15, 2020 breach, the largest in Twitter history, also took over accounts of celebrities such as Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian.
Messages were posted from the famous accounts telling followers to send Bitcoin payments to email addresses, defrauding over $180,000 from unsuspecting victims.
A hacker who identified himself as “Kirk,” believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could “reset, trade and manage any Twitter account at will” in exchange for cyber-currency payments, according to court documents. . Clark, who had been convicted as a juvenile delinquent — he was 17 years old at the time — served a three-year sentence.