Data of more than 5.4 million Twitter users have been shared on a hacker forum for free that contains non-public information acquired through an API vulnerability fixed in January 2022.

Besides this, a cybersecurity researcher has also disclosed another huge and possibly more significant data breach, containing a data dump of millions of Twitter records that have abraded public information as well as private phone numbers and email addresses, which are not supposed to be disclosed to the public, reports Bleeping Computer.

Let’s take a look at the background of the Twitter breach.

When Was The Hack First Discovered? 

Back in January 2022HackerOne user “zhirinovskiy” reported a Twitter vulnerability that allowed an attacker to find a Twitter account by its phone number/email, even if the user has prohibited it in the privacy options.

“This is a serious threat, as people can not only find users who have disabled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections),” stated the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne.

On January 6, 2022, Twitter acknowledged the issue and fixed it on January 13, 2022. Back then, it did not say anything about anyone exploiting the vulnerability. The company even rewarded zhirinovskiy with a bounty of $5,040 for discovering the bug.

When Was The Data Leaked?

In July this year, a threat actor with the username “Devil” sold leaked data of 5.4 million Twitter accounts on the popular hacking forum Breached Forums for $30,000.

What Did the Leaked Data Consist?

The database contained information about several accounts, including celebrities, companies, and random users. The impacted data included either email address or phone number alongside other public information, such as Twitter IDs, names, login names, locations, verified status, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.

Twitter Acknowledges The Hack

On August 5, Twitter acknowledged the data breach and said it was “unfortunate”.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” it said in a statement about the breach.

The company added it would “directly notify the account users [it] could confirm were affected by this issue”.

Not One But Multiple Threat Actors Have Exploited The Twitter API Vulnerability 

It appears that before Twitter could address the flaw, multiple threat actors took the chance to exploit the API bug to steal private information from the microblogging site.

According to Bleeping Computer, the 5.4 million Twitter records were first shared for free on a hacking forum in September, and now more recently, on November 24th. In other words, anyone can now view private information for free.

Pompompurin, the owner of the Breached hacking forum, told Bleeping Computer last weekend, that the leaked Twitter data is the same that was sold in July this year.

It allegedly includes tens of millions of Twitter user records, including phone numbers, account names, Twitter IDs, display photos, verified statuses, bios, and screen names. In total, there are approximately 17 million records from this recent dump (which could not be independently confirmed) and can be used to target users in phishing attacks.

Chad Loder, the founder of cyber security awareness company Habitu8, was the first to break the news of the alleged larger, more significant data breach on Twitter but was suspended immediately after posting. Subsequently, he posted a redacted sample of this huge data breach on Mastodon.

“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021,” Loder shared on Twitter.

According to Loder, the data from this breach is “not the same data” as was seen in the July breach, as it is in a “completely different format” and has “different affected accounts”.

Bleeping Computer confirmed with several users that the phone numbers are valid, confirming this additional data breach is real. Apparently, the original data sold in August did not contain any of these phone numbers.

This only goes on to show that Twitter’s data breach is much larger than previously disclosed with a huge amount of user data being circulated among threat actors.

Meanwhile, Pompompurin confirmed with Bleeping Computer that this other massive breach was not their responsibility, and they did not know who created the newly discovered Twitter API bug, suggesting that other people were using this API vulnerability.

This newly discovered data dump comprises of many files broken up by country and area codes, including Europe, Israel, and the USA.

Twitter has yet to provide a statement on the additional data dump of private information.

How Can Twitter Users Protect Themselves Against The Hack?

Twitter users are recommended to ignore and delete any suspicious emails claiming account suspension, log-in issues, or losing verified status, as they are likely to be phishing attempts to steal login credentials.

Also, users can enable 2-factor authentication using authentication apps or hardware security keys to protect accounts from unauthorized logins.

Source: Bleeping Computer