Private data of 5.4 million Twitter users posted online

The API vulnerability led to the compromise of millions of Twitter accounts

It was recently uncovered that 5.4 million records of Twitter users have been stolen and published online. The breach occurred as a result of the Twitter Application Programming Interface (API) vulnerability, which was initially patched in January 2022.

Later, another 1.4 million social media profiles were collected thanks to the vulnerability in another API. Perpetrators shared the data on hacker forums known as Breached Forums, bringing the total number of Twitter user accounts affected to almost 7 million. In addition, a security researcher disclosed that the scope of this vulnerability was much larger than initially thought.

The information consists of mostly publicly available data, although some personal details, such as emails and phone numbers, were also leaked, which could lead to serious privacy issues for Twitter users.

The original hack

In August 2022, Twitter publicly announced that an unknown threat actor had breached information on some user accounts. According to the blog post, the hack occurred due to a vulnerability present within Twitter systems, which was a result of a bug within one of the updates applied to it in June 2021.

The bug would've let anyone who submitted an email address or phone number to Twitter's systems know what Twitter account that information was linked with:^[1]

We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.

Twitter found out about the vulnerability thanks to the HackerOne bug bounty program^[2] in December 2021, and according to the blog post, it did not see any cause for concern, as there was no indication of data compromise at the time. The vulnerability was simply patched and temporarily forgotten about.

The sale of initial data and the subsequent limited release

The initial data dump of stolen user information was first publicized in July when the personal information of 5.4 million people surfaced on the underground forums. The harvested data included mostly public information, such as Twitter IDs, locations, login names, location, friends count, profile image, whether or not users are verified on the platform, and more.

Among the information included in the data dump was also private data connected to the said accounts, including emails and phone numbers. The post on the hacking forums, released on July 21, claimed that the details of 5,485,636 users, among which were celebrities and other powerful individuals, were available for sale for $30,000.

Pompompurin, the owner of Breached Forums, states that Devil (another individual involved in the incident) shared crucial data that led to bug exploitation and data theft, as reported by Bleeping Computer.^[3] While the initial data of 5.4 million users was sold to the highest bidder back in July, it was now published on the same forum for free.

As a result, anyone who can access the forums can now gain information on all the data of the leaked Twitter accounts. Another batch of information of 1.4 million records was shared privately among a few threat actors.

Security researcher suspended for disclosing a potentially larger Twitter leak

While the release of data for free is rather concerning, a potentially larger breach is suspected due to the mentioned vulnerability within the API. It is claimed that this data dump may contain a combination of details that tie personal user data to publicly available one and feature tens of millions of Twitter accounts.

The security researcher Chad Loder, who uncovered this information, has contacted several of the victims relating to this revelation, who ten confirmed that the data was accurate.^[4] None of this account data was present in the previously leaked data dump of 5.4 million records, which suggests that this one is different.

Following his post about this breach on Twitter, which received more than 15k likes, his account was immediately suspended on the platform. The reasoning behind this decision remains unknown.

According to Pompompurin, the new batch of data was not stolen by them, and they don't know who's behind it. There could be as many as 17 million records leaked in this breach, which can be detrimental to the owners of these accounts.

As a precautionary measure, Twitter users are urged to be careful about receiving emails (potentially using their real names) that claim their accounts have been suspended, hacked, or otherwise affected. Phishing emails might look identical to those from the official Twitter, so clicking links and entering account information into the pages they link to is not recommended.