Data from 5.4 Million Twitter Users Leaked

The data of 5.4 million Twitter users was stolen using an API vulnerability (fixed in January of this year) is now posted for free on a hacker forum. The leaked data includes both public information and phone numbers with email addresses that should not have been made public.

Let me remind you that at the end of July 2022, the data of 5.4 million (5,485,636) Twitter users were put up for sale on the darknet. Then it was reported that this database arose as a result of combining open data with phone numbers and email addresses of users who became known due to the exploitation of the bug.

In the summer, an attacker valued the base at $30,000. According to media reports, two different buyers purchased the dump at a price lower than the original one, and experts warned that the data would most likely end up being released free of charge.

Then it turned out that this data was collected by several hackers in December 2021, through the use of a vulnerability in the Twitter API, a report on which can be found on HackerOne. “The vulnerability allows anyone, without any authentication, to find out the Twitter ID (which is almost equivalent to obtaining the username of the account) of any user through a phone number / email address, even if the user has prohibited this action in the privacy settings,” the researcher who found the bug explained.

As a result, Twitter representatives studied the incident and confirmed that the attackers used the problem to collect user data. The vulnerability was reported to have been closed in January 2022.

As Bleeping Computer writes now, experts’ predictions are coming true – the stolen data began to be distributed for free. The owner of the hacker forum Breached, known by the nickname Pompompurin, told reporters that he was responsible for exploiting the bug and creating a huge dump of user data. The hacker says he learned about the flaw from another attacker nicknamed Devil, who shared information about the vulnerability with him.

Worse, it turned out that in addition to this dump, information about another 1.4 million profiles of users blocked on Twitter was put up for sale, collected using a different API. As a result, the total number of “leaked” Twitter accounts containing personal information is already approaching 7 million. Pompompurin says that the second dump was not sold publicly, but was only given to a few people privately.

Journalists say that last week, November 24, information about 5.4 million users was published online for free. Pompompurin confirmed that this is the same data that was sold in August and contains profile details of 5,485,635 Twitter users.

Even worse, the publication warns that with the help of the mentioned vulnerability, it seems that another, even larger data dump was created. It can contain information about tens of millions of Twitter profiles, including phone numbers (collected using the same API bug) and public information: verified status, account names, Twitter ID, bio, and display name.

The news of this data breach came from information security expert Chad Loder, who first reported the issue and later posted an edited sample dump on his Mastodon.

The editors of Bleeping Computer also studied a sample of this previously unknown dump, which contained 1,377,132 phone numbers of users from France. Journalists also confirmed that the phone numbers are valid. It is emphasized that none of these phone numbers are presented in the August dump, which means that the data leak from Twitter was much larger than originally thought.

Pompompurin also confirmed that he does not know who created this newly discovered dump, which proves once again that other people have used the mentioned vulnerability in the API.

Journalists write that the recently discovered dump consists of many files broken down by country and region codes, including Europe, Israel and the United States. According to rumors, it includes information about 17 million accounts, although this has not yet been confirmed.