According to the seller, the database contains the user names, the numbers of the followers and the followed, and above all the phone numbers and email addresses of “famous, companies, random, original users (that is, those who were among the first users of the service) and the like.” He published a sample of the material, which was confirmed as indeed including personal details of users, and even received “kosher” from the operator of the hacker forum where the repository was posted for sale, who wrote that he had seen the repository and it does include the information the hacker promises.
More in-
The hacker claims to have obtained the details thanks to Twitter’s “incompetence” – and it seems he’s not exaggerating: the hack he relied on to collect the information was reported by a user on the HackerOne security forum earlier this year. The user revealed that in the Twitter application for Android there is a bug in the verification process that allows to cross usernames and personal details such as phone number and email address. Twitter confirmed the existence of the breach after 5 days, and even paid the reporter a “reward” of $5,040 – but apparently did not fix the breach for some time, which allowed the hacker to exploit it to collect the information he is now selling.