• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts

July 21, 2022 By Sven Taylor — 21 Comments
Twitter data breach 2022

A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

The bug was specific to Twitter’s Android client and occurred with Twitter’s authorization process.

The HackerOne user “zhirinovskiy” submitted the bug report on January 1st of this year. He described the potential consequences of this vulnerability as a serious threat that could be exploited by threat actors.

This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities

– HackerOne user zhirinovskiy

The HackerOne report subsequently lays out exactly how to replicate the vulnerability and acquire the data from a targeted Twitter account.

Five days after posting the report, Twitter staff acknowledged this to be a “valid security issue” and promised to investigate further. After further investigating the issue and working to fix the vulnerability, Twitter awarded user zhirinovskiy with a $5,040 bounty.

Twitter hacked
Twitter acknowledged the vulnerability and awarded the HackerOne user a bounty.

Exploiting this vulnerability with the Twitter Android client is described as follows on the HackerOne report:

The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.

– HackerOne user zhirinovskiy

Today, however, we see the consequences of this vulnerability come to fruition.

Hacker lists database of 5.4 million Twitter users for sale

Exactly as the HackerOne user zhirinovskiy described in the initial report in January, a threat actor is now selling the data allegedly acquired from this vulnerability.

Earlier today we noticed a new user selling the Twitter database on Breached Forums, the famous hacking forum that gained international attention earlier this month with a data breach exposing over 1 billion Chinese residents.

The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.”

Twitter hack data breach for sale
Source: RestorePrivacy.com

A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.

The Breach Forums user selling the database also posted a sample of the data.

Analysis and verification of the data sample

We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.

Below are two samples from the database we examined. All samples we looked at match up with real-world people that can be easily verified with public profiles on Twitter.

Twitter email hack database leak

We reached out to the seller of this database to gather additional information.

He told RestorePrivacy that all of the information was already disclosed in the HackerOne report. The seller is asking for at least $30,000 for the database, which is now available due to “Twitter’s incompetence” according to the seller.

Twitter database email 2022 leak

We reached out to Twitter for comment on this situation on July 21, 2022.

Update July 24, 2022: Twitter has confirmed they are investigating the situation.

Related Articles:

  • Twitter Now Acknowledges Security Bug That Exposed Data from 5.4+ Million Accounts
  • Massive New Twitter Leak Allegedly Exposes 400M+ Users

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. Gautam Mengle

    August 6, 2022

    Rather weird request, but I’m a journalist based in India covering crime and cybersecurity. I wanted to ask if I could use the images from this write up with my own article. I’d be happy to give credit to Restore Privacy, if that is required.
    My name is Gautam S. Mengle, and I work for the Free Press Journal in Mumbai, India.
    Please permit me to thank you in advance.

    Reply
    • Sven Taylor

      August 6, 2022

      Hi Gautam, provided you credit this site and link to our report, no problem, go right ahead. Thanks for asking.

      Reply
  2. Frustrated

    August 3, 2022

    I’ve had it with Twitter.

    I agree we need a workaround against websites who insist on Two-factor authentication (2FA) where they only send texts which can’t be received on landlines.

    Many people, especially our elders, don’t have a cell phone (they have a landline) and they use a tablet. They don’t have a mobile number. It’s not just them, but many now. We also want to keep our cellphone number private to reduce the likelihood of such breaches.

    We need some options here, Sven. Can you research the subject on which services will accept short (sms) codes?

    Reply
  3. BoBeX

    August 2, 2022

    Hi Sven,

    Great reporting!

    I would only echo the point made by Judy A Zwyghuizen in the comments below.
    Judy A Zwyghuizen: “So how would we know if we were Breached ????”

    Has Twitter informed the affected users?

    Regards,

    BoBeX

    Reply
    • AnnoyinTwitter

      August 3, 2022

      Isn’t 2FA the same as providing your mobile number to Twitter when they decide to be stupid and insist you provide a valid non sip VoIP number? That’s what’s happening lately and none of the third party websites work as Twitter recognizes them as non carrier specific numbers.

      Can Sven provide a review or tutorial for a workaround?

      Reply
  4. Eric

    July 30, 2022

    Hi Sven, If the hackers obtained the phone numbers of the Twitter accounts, would the two-factor identification (SMS) be compromised? So, is it safe to use SMS two-factor authentication ?? Maybe not finally

    Reply
    • Sven Taylor

      July 30, 2022

      No, 2FA should not be affected.

      Reply
  5. Satish Kumar

    July 27, 2022

    Hack Twitter

    Reply
  6. Ana

    July 26, 2022

    Twitter should buy the database. It’s the least they could do to protect their users.

    Reply
    • Hellen

      August 9, 2022

      Yes. Which forum this database are?

      Reply
  7. Anonymous

    July 23, 2022

    Twitter should pay more for vulnerabilities that affect users in line,

    Reply
    • Charles

      July 27, 2022

      Yes

      Reply
    • You wish

      October 27, 2022

      I agree with the and all public media

      Reply
  8. Etienne

    July 23, 2022

    Elon Musk looking away.

    Reply
    • Reality Check

      July 23, 2022

      It’s strategic. Musk will probably end up buying Twitter anyway.

      Reply
    • Charles

      July 27, 2022

      Was probably him trying to drive down price

      Reply
  9. Hmm

    July 23, 2022

    And twitter still insists on you providing them a legitimate non-voip phone number to verify your identity

    Reply
    • Judy A Zwyghuizen

      July 26, 2022

      So how would we know if we were Breached ????

      Reply
  10. Curious

    July 21, 2022

    So what is the relationship between Zhirinovskiy on Hacker One and Devil on that hacking forum?

    Reply
    • 8778

      July 22, 2022

      Yup. That’s the first thing that popped into my head.

      Reply
    • v0id

      July 22, 2022

      “”I don’t want to white hat in trouble who reported it on H1. I guess a lot of people are trying to connect him to me, I would be pissed if I was him. So I cant stress this enough I have nothing to do w him nor H1,” the threat actor told BleepingComputer.”

      oh yep, it’s definitely him

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP