It has been discovered recently that over 5.4 million personal records of Twitter users have been stolen by threat actors and publicly exposed on a hacker forum for free.
While to accomplish this illicit activity threat actors exploited an API vulnerability that was fixed in January. On the popular hacking forum, Breached Forums, the threat actors offered the stolen data for sale to interested users.
Despite being recently fixed, this bug was exploited by an unknown number of malicious actors, demonstrating how widely this flaw was exploited.
Data Leaked Online
The vulnerability was first reported by HackerOne in January of this year. Anyone could take advantage of this flaw by entering an email address or phone number to find the associated Twitter ID for further exploitation.
The data set contains the following things:-
- Twitter IDs
- Login names
- Verified status
- Private phone numbers
- Email addresses
- Other private information
An anonymous threat actor surfaced on a hacking forum last July where the threat actor was found selling the stolen data for $30,000 of more than 5.4 million Twitter users.
It is estimated that these users range from:-
HackerOne’s bug bounty program disclosed a vulnerability in the Twitter API in December 2021, which was used to collect this data.
HackerOne’s disclosure has not been leaked yet, so it is unclear whether or not this was the case. However, Twitter’s private information was being accessed by multiple threat actors through the exploitation of this bug.
As a result of a bug in Twitter’s API that was patched in January 2022, Twitter experienced this massive data breach, and Twitter itself has confirmed this breach.
The owner of the Breached hacking forum, Pompompurin stated:-
“As a result of another threat actor dubbed ‘Devil’ sharing the vulnerability with us, we were obliged to exploit the vulnerability and dump a massive amount of Twitter user information.”
Additionally, 1.4 million Twitter profiles of suspended users were also collected using a different API in addition to the 5.4 million records for sale. Therefore, it was found that almost 7 million Twitter profiles contained private information on them.
However, there were only a few people who received this second data dump privately, which implies that this second dump was not for sale.
Data Shared for Free
Earlier this month, on November 24th, it was reported that 5.4 million Twitter records had been recently made public on a hacking forum, which was now available for free.
This dump includes a total of 5,485,635 Twitter user records, which were included in the dataset that was sold in August. The following information is contained in these records:
- Email address
- Phone number
- Twitter IDs
- Screen name
- Verified status
- Follower count
- Account creation date
- Friends count
- Favorites count
- Statuses count
- Profile image URLs
There is a concern surrounding the fact that the same threat actors might have exploited the same vulnerability in order to create an even larger data dump than this.
The new data dump could contain tens of millions of Twitter records, which is a potentially alarming situation.
Security expert Chad Loder shared the essential news of this significant data breach on Twitter for the first time. However, the most astonishing thing is that just after his publication he was suspended by the platform.
Among the numerous files that make up this newly discovered data dump, there are a number of files that are broken down by country and area code, including the following countries:-
- The USA
While users are recommended to stay aware of phishing emails since these stolen data could be abused by threat actors for targeted phishing attacks.
SWG – Secure Web Filtering – Download Free E-book