Update: Twitter has rather belatedly confirmed that a hacker was able to expose the account details, though the company has not commented on the 5.4M number. See statement at the end of the piece.

A Twitter data breach has allowed an attacker to get access to the contact details of 5.4M accounts. Twitter has confirmed the security vulnerability which allowed the data to be extracted.

The data – which ties Twitter handles to phone numbers and email addresses – has been offered for sale on a hacking forum, for $30,000 …

Restore Privacy reports that the breach was made possible by a vulnerability discovered back in January.

A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings […]

A threat actor is now selling the data allegedly acquired from this vulnerability. Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.

The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”

The owner of the hacking forum verified the authenticity of the attack, and Restore Privacy also says that two samples of the database check out.

We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.

All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.

The privacy site contacted the seller, and was told the price of the database was $30,000.

HackerOne covered the vulnerability back in January, which allowed anyone to enter a phone number or email address, and then find the associated twitterID. This is an internal identifier used by Twitter, but can be readily converted to a Twitter handle.

This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.

Also a cool feature that I discovered is that you can even find the id’s of suspended Twitter accounts using this method.

It’s likely that the attacker obtained existing databases of phone numbers and email addresses obtained in breaches of other services, and then used these details to search for corresponding Twitter IDs.

There is as yet no way to check whether your account is included in the Twitter data breach. As always, it pays to be vigilant about phishing attacks – emails claiming to be from Apple, your bank, PayPal, email provider, and so on, and which ask you to login to your account.

Common phishing tactics are a message telling you that your account is at risk of deletion, or sending a fake receipt for a high-value purchase, together with a link to dispute the charge.

The main safeguard here is to never click on links sent in emails. Always use your own bookmarks, or type in a known URL.

Update: Twitter now confirms the breach

Twitter had previously confirmed the existence of the vulnerability, but not commented on the fact that it had been exploited. The company has now done so, and promised to contact affected users.

This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability. 

In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

We will be directly notifying the account owners we can confirm were affected by this issue. 

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear