A Twitter data breach reported earlier this year that affected more than five million users is worse than initially thought.
In August, Twitter confirmed that an API vulnerability fixed in January led to data exposure, but the company said there was “no evidence” that it was exploited. Now over 5.4 million stolen user information have been shared for free on a hacker forum. On top of that, a security researcher warned there is an even larger data dump using the same vulnerability.
The API vulnerability was first reported by HackerOne through Twitter’s bug bounty program in January, revealing that people could identify one’s account if they had the user’s phone number or email address and vice versa. In July, a threat actor with the username “devil” began selling the dataset for $30,000. Pompompurin confirmed that the current free dataset on the forum is the same one that “devil” had.
The owner of the Breached hacking forum Pompompurin told BleepingComputer Sunday that they were responsible for exploiting the vulnerability, dumping 5.4 million records containing both private and public information, including phone numbers, email addresses, account IDs, location, and verified status.
While the leak of 5.4 million users’ information is concerning, security researcher Chad Loder warned that tens of millions of other Twitter accounts’ information had been obtained using the same API vulnerability.
Loder first broke the findings on Twitter, and was promptly suspended for reasons that remain unclear. He then posted the details of the evidence on Mastodon. SC Media has reached out to Twitter with further questions.
“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US. I have contacted a sample of the affected accounts, and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021,” Loder wrote on Twitter.
Pompompurin told BleepingComputer that they were not responsible for this additional data breach, showing that multiple threat actors have utilized the API vulnerability.
“API security is a relatively new concept, and while there have been many improvements on this front, APIs that have been around for several years have likely not benefited from the same security considerations as those developed more recently," Jerrod Piker, competitive intelligence analyst at Deep Instinct, told SC Media in an email. "As such, there are likely other open APIs within Twitter (as well as other public platforms) that are susceptible to the same type of vulnerability. It is highly likely that we will hear about similar data leaks in the future from Twitter and other public services."
Chris Denbigh-White, security strategist at Next DLP, told SC Media that the security community should stay alert of the breach as the leaked information can be used for other attacks.
“[This breach] represents a goldmine of opportunity for would-be identity thieves or those seeking to use the information in support of social engineering attacks or wider profiling,” Denbigh-White said. “In the case of accounts used in political activism in countries with oppressive regimes, this breach could represent a genuine threat to the account owners.”
From a business perspective, Justin Shattuck, chief information security officer at Resilience Insurance, told SC Media that Twitter’s data dump is an important lesson for organizations to realize and understand the elevating security risks of public platforms.
“Maybe [organizations’] leadership has accepted these risks, but the question is, do their advertisers also accept them?” Shattuck said.