A Los Angeles-based cyber security expert has warned of a data breach at social media site that has allegedly affected millions of people across the US and EU.
The founder of cyber security awareness company Habitu8 took to the social media site on November 23 to warn users of an alleged data breach that has not been reported before.
They had seen the data stolen in the alleged incident and spoken to potential victims who had confirmed that the data was accurate, according to a series of tweets by Loder.
Any account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected, with “all accounts for the entire country code of France” listed, with their full mobile numbers.
The data set includes personal information for celebrities, prominent politicians and government agencies, as well as the full phone number spaces for multiple country codes in the EU and the US.
The data breach that affected millions of user accounts in July of this year cannot be the same as this one if the company lied about it. The data from this breach is not the same data as that seen in the July breach, as it is in a completely different format and has different affected accounts.
The same vulnerability was exploited in the hack reported in July.
At some point in the last 24 hours, the account was suspended due to violating the rules on the social networking website.
The July 2022 Twitter data breach
On July 27 of this year, a hacker who went by the name of the devil claimed in a post in a hacking forum that they were selling data stolen from more than five million accounts on social media.
The data stolen included email addresses and phone numbers from celebrities. OGS stands for short, consisting of one or two letters, like a first name. Devil said they would not accept less than US$30,000 for the data set.
The owner of the site first verified that the leak was authentic and that devil was able to exploit a vulnerability on the social media site that was first flagged in January.
On January 1, 2022, a report on the vulnerability was published to bug bounty and vulnerability coordination platform HackerOne. They described the effects of the vulnerability.
The vulnerability allows anyone who doesn’t have a password to gain access to a user’s account by submitting a phone number or email, even if the user has banned this action in their privacy settings. There is a bug that exists due to the process of authorization used in theAndroid Client of Twitter.
The vulnerability could allow an attacker with a basic knowledge of coding to enumerate a big chunk of the user base and collect user data into a database that linked their email addresses or phone numbers. This could be sold to malicious parties who could use the data for advertising or to target specific celebrities.
The issue was fixed on January 13 after zhirinovsky paid US$5,040 to fix the vulnerability.
The vulnerability that was flagged in January was the reason for the breach, according to a statement posted on August 5th. The company said it would notify account users of the issue.
The data breach was unfortunate and encouraged users to use two-factor verification to protect their accounts from unauthorized logins.