Cyber Incident Victim: Twitter
Date:
Dec 2021
Location:
United States of America
Summary
A threat actor exploited a vulnerability in Twitter's systems to compile a database containing private email addresses and phone numbers linked to 5.4 million user accounts, subsequently offering the data for sale. The attacker leveraged an authentication flaw in the Android client that bypassed privacy restrictions, enabling the association of submitted contact information with account identifiers and subsequent scraping of public profile details. While the exposed data primarily consisted of publicly available information, the inclusion of non-public contact details raised concerns about targeted phishing risks. The company addressed the vulnerability after a security researcher's disclosure, though the hacker claimed no affiliation with that disclosure. A limited sample verification confirmed accuracy for some affected users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2021, a threat actor exploited a vulnerability in Twitter’s Android client to compile a database containing private information linked to 5.4 million user accounts. The flaw allowed unauthorized parties to submit phone numbers or email addresses to Twitter’s systems and retrieve associated account IDs, bypassing privacy settings that restricted such actions. This process enabled the attacker, using the alias ‘devil,’ to systematically verify whether submitted contact details corresponded to active Twitter accounts and obtain their unique identifiers. With these IDs, the threat actor then scraped publicly available profile data to assemble comprehensive records on targeted users. The compromised dataset included celebrities, corporate entities, and ordinary users, totaling 5,485,636 accounts according to the hacker’s forum post. The vulnerability was independently reported to Twitter through HackerOne by security researcher ‘zhirinovskiy’ on January 1, 2022, who documented that the authorization flaw stemmed from Twitter’s account duplication verification process in its Android application. Twitter addressed the vulnerability in a patch deployed by January 13, 2022.
On July 21, 2022, ‘devil’ advertised the stolen database for sale on a cybercrime forum at a price of $30,000, claiming the data had been collected months earlier through the now-patched exploit. The seller explicitly denied any connection to zhirinovskiy or HackerOne, asserting independent discovery and exploitation of the flaw. BleepingComputer verified the accuracy of private contact information in a sample dataset provided by the hacker, confirming matches between listed phone numbers/email addresses and actual user accounts. While most data elements were publicly accessible, the inclusion of non-public contact details raised concerns about targeted phishing risks. Twitter acknowledged investigating the breach claims but did not confirm the incident’s validity at the time of reporting. The attack methodology mirrored previous large-scale scraping incidents affecting other platforms, notably Facebook’s 2021 data leak impacting 533 million users. Despite the vulnerability’s remediation, the exposed contact information remained potentially exploitable for social engineering attacks against affected account holders.