Twitter patches software flaw that let a hacker steal information from 5.4 million accounts

Twitter revealed the zero-day vulnerability that allowed a bad actor to compile a list of 5.4 million account profiles in December 2021 is now patched as of Friday.

A zero-day vulnerability is a software flaw that is unknown to the parties responsible for the site and is live an open window for those lurking in the backend of the website.

The vulnerability allowed the hacker known as ‘devil’ to scrape Twitter and collect phone numbers and emails associated with the millions of accounts that belonged to ‘celebrities, companies and random people,’ according to a post by the hacker on the dark web that says the collection was due to ‘Twitters incompetence.’ 

The fix comes too late, as the hacker already uploaded the data to the dark web and was selling the accounts for $30,000 each – it is not clear how many have been bought, BleepingComputer reports.

Scroll down for video 

Twitter disclosed in a security advisory Friday: ‘In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed.’

‘This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.’

Twitter told BleepingComputer that it is aware who some of the users are who were impacted by the hack and is sending these individuals notifications to inform them their phone number or email address is now compromised. 

However, the social media platform us not clear how many users were victimized. 

At this time, Twitter tells us that they cannot determine the exact number of people impacted by the breach. No passwords were collected by ‘devil,’ so accounts will not be stolen.

Twitter urges users to establish the two-factor authentication on their accounts to stop anyone from wrongfully accessing their account.

‘We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,’ warned the Twitter advisory.

This attack, although large, did not make as much noise as the global hack that hijacked accounts belong to high profile people like Bill Gates, Barak Obama and Bill Gates.

The July 15, 2020, breach, the biggest in Twitter history, also took over accounts of celebrities including Elon Musk, Kanye West, Amazon CEO Jeff Bezos, Mike Bloomberg, Warren Buffett, Floyd Mayweather and Kim Kardashian. 

Messages were posted from the famous accounts telling followers to send Bitcoin payments to email addresses, swindling more than $180,000 out of unsuspecting victims in the process. 

A hacker who identified himself as ‘Kirk’, believed to be Graham Ivan Clark, claimed to be a Twitter employee and said he could ‘reset, swap and control any Twitter account at will’ in exchange for cybercurrency payments, according to court papers. Clark, who was sentenced as a youthful offender – he was 17 years old at the time at the time – took a three-year prison plea.