Private information such as email addresses and phone numbers are present in the leak.
More
than 5.4 million user records from Twitter have been published online, exposing
everything from private phone numbers to email addresses.
The
data, which was released for free on a popular hacking forum this month, was
pilfered last December after hackers exploited an API vulnerability on the
social media platform.
Although
Twitter says the issue was patched in January after it was reported to the
HackerOne bug bounty program, numerous threat actors were able to take
advantage before the vulnerability was fixed.
The
leak, as first reported by BleepingComputer, contains not only private phone
numbers and email addresses but public scrapes of “Twitter IDs, names, login
names, locations, and verified status.”
Before
being released for free, a hacker had attempted to sell the information on the
same hacking forum for $30,000 in July.
The
Daily Dot was able to confirm the presence of both private emails and phone
numbers in the data breach. The Daily Dot was also able to confirm the presence
of both private emails and phone numbers in the data breach, including those
belonging to high-profile celebrities and politicians.
Aside
from the 5.4 million user records, private data on more than 1.4 million
suspended Twitter accounts has also been shared privately online. The additional
data, according to BleepingComputer, has not been made public.
It also
appears that the 5.4 million user records had been briefly offered online for
free in September as well.
While
the data leak is undoubtedly concerning, an even larger dataset obtained due to
the API vulnerability was also discovered this month. Independent researcher
Chad Loder noted on Twitter the significance of the separate breach before
being suspended from the platform.
“I have
just received evidence of a massive Twitter data breach affecting millions of
Twitter accounts in EU and US,” Loder wrote. “I have contacted a sample of the
affected accounts and they confirmed that the breached data is accurate. This
breach occurred no earlier than 2021.”
BleepingComputer
also confirmed that the data in the breach referenced by Loder was not the same
as the data in the 5.4 million user records. Although unconfirmed, the latest
dataset is believed to contain over 17 million records in total.
*This
post has been updated.
***Mikael
Thalen is a tech and security reporter based in Seattle, covering social media,
data breaches, hackers, and more.
https://www.dailydot.com/debug/twitter-user-data-hack-5-million/
***More:
https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/