Summer data breach at Twitter sees hackers publish stolen data, but even bigger data breach has since been uncovered
A data breach that impacted Twitter back in the summer has come back to haunt Elon Musk’s platform, after stolen data was published online.
It was in July this year when Twitter was compromised by a vulnerability that had existed since late 2021.
The hacker, who went by the username “devil”, began touting the Twitter database of 5.4 million users on hacker forum, Breached Forums in the summer for $30,000.
Breached Forums was the same hacker forum that gained international attention in July 2022 after a data breach exposed over 1 billion Chinese residents.
The Twitter vulnerability allowed “devil” to acquire Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses, even if the user had hidden these fields in the privacy settings.
The bug was reportedly specific to Twitter’s Android client and occurred with Twitter’s API.
The vulnerability had already been patched by Twitter in January 2022.
Fast forward nearly five months, and BleepingComputer reported Monday that the 5.4 million user records containing passwords, phone numbers, emails and more have been shared free-of-charge on a hacker forum.
Pompompurin, the owner of the Breached hacking forum, told BleepingComputer last weekend that they were responsible for exploiting the bug and creating the massive dump of Twitter user records after ‘Devil’ had shared the vulnerability with them.
In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to almost 7 million Twitter profiles containing private information, BleepingComputer reported.
Pompompurin reportedly said that this second data dump was not sold and was only shared privately among a few people.
The fact that hackers released the 5.4 million records for free, worse news has followed as BleepingComputer reported that an even larger data dump was allegedly created using the same vulnerability.
According to BleepingComputer, news of this more significant data breach came from security expert Chad Loder, who first broke the news on Twitter and was suspended soon after posting it.
Loder subsequently posted a redacted sample of this larger data breach on Mastodon, the social network that many Twitter users are switching to following Elon Musk’s takeover of the platform.
“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021,” Loder shared on Twitter.
BleepingComputer obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France.
BleepingComputer said it has since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real.