A collection of public and non-public information of 5.4 million Twitter users has been released on a hacking forum and can be downloaded free of charge. This is not a recent data breach, but a batch of data that was first listed for sale in December 2021, which the hacker listed for $30,000 at the time.
Public information on Twitter users was scraped and combined with legitimate phone numbers and email addresses, which are not available publicly. This was possible due to a Twitter API vulnerability, which allowed phone numbers and email addresses to be submitted to obtain the Twitter ID. Information was then scraped from the profiles using that ID, including name of the account holder, screen name, location, follower count, friend count, and profile image.
The vulnerability in question was disclosed through the HackerOne bug bounty program and a patch to fix the flaw was released in January this year, but not in time to prevent the flaw from being exploited by several threat actors. According to Bleeping Computer, prior to being fixed, the bug was extensively exploited. Twitter disclosed the data breach in January 2022, after Bleeping Computer shared a sample of the records.
While 5.4 million records are now available for free, the individual who leaked the records – Breached hacking forum owner, Pompompurin – claims to have collected data from a further 1.4 million profiles using a different API, bringing the total up to 6.8 million. That smaller dataset was not made public but has been shared with a select group of individuals. It would also appear that another individual has obtained a much larger dataset, which potentially includes public and non-public information of more than 10 million Twitter users by exploiting the same vulnerability.
The news of the larger breach was shared by security expert Chad Loder on Twitter, which earned him an account suspension. He then switched to Mastadon to post redacted details of the breach. According to Loder, the dataset includes details from entire countries and has been split into country-specific samples. The dataset for France includes more than 1.3 million profiles, with the entire set reportedly containing the details of 17 million users.