Twitter’s API once contained a flaw so easily exploitable that hackers managed to capture 5.4 million user details. Now, according to reports and user mentions in hacker forums, there are several million additional user data points floating around the internet.
BeepComputer reported on Monday that the 5.4 million user records containing passwords, phone numbers, emails and more may have been just the tip of the iceberg for a much larger breach. important company data. The data was originally pulled from Twitter using a flaw in the platform’s application programming interface (API), but is now shared openly online. As summarized earlier this year by HackerOnehackers discovered that there was a way to allow anyone to obtain a user’s Twitter ID by submitting their phone number or email address to the system, even if the user had disabled this option in its account.
Twitter came clean about the original exploit in their API and breaching millions of user credentials. At the time, the platform said it informed users that they could confirm they had been affected by the data breach. But noted antifascist researcher and security buff Chad Loder included proof of an additional data theft on his Juggernaut Profile on November 25. Loder rang 9to5Mac last week that there appeared to be “several threat actors, operating independently” taking data from the UK, some EU countries and parts of the US, mostly from the end of 2021. This second dataset could include around 1.4 million additional profiles.
A thread posted on BreachForums, AKA Breached, shared the original 5.4 million data points for free last week, and as of the time it was reported, this thread is still up and running. Gizmodo was unable to confirm the authenticity of the data, although the forum thread noted that the additional 1.4 million from suspended accounts may still be spreading only in private circles.
Although it remains to be seen how many of these accounts include new information. LeakCheck, a cybersecurity password checker, noted on that same thread that perhaps only 12% of those emails found in over 500GB of data were new, AKA not found. in previous leaks.
Gizmodo contacted LeakCheck for confirmation, but we did not immediately respond.
This therefore represents up to 7 million users or former users whose account information may circulate the internets. BleepingComputer also said it contacted the user who goes by the name Pompompurin, the owner of Breached, who claimed to be the original hacker who exploited Twitter late last year. The 1.4 million records weren’t supposed to be public, according to Pompompurin, though it appears they were leaked anyway. BleepingComputer noted that the data could consist of more than 17 million user records, far more than originally reported, although the full number has not been legitimately identified.
Hackers from the Breached hacker forum originally uploaded this data for $30 million, but this most recent report now says the data is freely available online. BeepComputer Noted he had access to part of 1.37 million leaked records for users in France. He has since confirmed with at least some of the users listed in the leak that their numbers are valid. There could be even more phone numbers in the most recent list than what was posted earlier this year.
Although Twitter has more than 200 million daily active users (even if CEO Elon Musk overly claims these users are on the rise) a 17 million breach would be one of the biggest user data breaches, but not the biggest by far. A hacker previously stole 100 million instances of CapitalOne user information, and the hacker responsible was sentenced to five years probation. LinkedIn has processed 500 million user profiles scratched from their systems. Ride-sharing company Uber has experienced two major user data hacks, one in 2016 and another few months ago.
Gizmodo reached out to Twitter, but in the era of Musk and the apparent end of the Twitter press team, we haven’t heard from the company in weeks.