According to reports, over 5.4 million Twitter users’ data was stolen through an API vulnerability and shared for free on a well-known hacker forum. The data includes scraped public information as well as private phone numbers and email addresses not intended to be public.
If this sounds familiar, it is because last July, a hacker began selling the private information of 5.4 million Twitter users for $30,000. This data—collected in December 2021—was also collected using a Twitter API vulnerability that was disclosed in the HackerOne bug bounty program.
If someone had a phone number or email address into the API, they would be able to retrieve the associated Twitter ID.
According to BleepingComputer, multiple thread actors were using the API vulnerability to steal private information from Twitter.
Twitter fixed the API vulnerability in January 2022 after BleepingComputer brought the security issue to Twitter’s attention.
In addition to the 5.4 million users’ data that was collected using the API vulnerability, a second set of data was collected using a different API. As a result, over 7 million Twitter user profiles with private information were collected.
The second data set was never sold or released and now was released for free to the public.
According to BleepingComputer, “These records contain either a private email address or phone number, and public scraped data, including the account’s Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.”
While the 5.4 million Twitter user database is available for free, most concerning is that a second database is privately available with even more user data.
Security expert Chad Loder first broke the news on Twitter, and was suspended soon after posting according to BleepingComputer. He has since posted a redacted sample of this larger breach on Mastodon.
BleepingComputer has been able to independently verify that the user data provided in the dump—which contains over 1.3 million phone numbers of French Twitter users—is legitimate.
This private data dump reportedly contains user data from users located in Europe, Israel, and the United States. It could be as large as 17 million users, but BleepingComputer was unable to confirm this.
BleepingComputer reached out to Twitter regarding this developing situation, but has yet to receive a response.
Hats off to BleepingComputer for this exceptional report and independent verification.
