Twitter API Vulnerability Led to the Breach of Millions of User Data Records
An API vulnerability in microblogging platform Twitter enabled the theft of at least 6.8 million user data records through multiple breaches.
A Twitter data breach that came to light in July 2022 is reportedly only half the story. Without disclosing the number of users that could have been impacted, Twitter confirmed a HackerOne report of a breach in December 2021 that affected 5.4 million users. Apparently, the number is much higher with more exposed data records than previously known.
While the 5.4 million records were available for $30,000 and were shared for free in September this year, revelations by Pompompurin to BleepingComputer indicate the presence of another data dump of 1.4 million records from suspended Twitter users.
Chad Loder, the founder of Habitu8, disclosed an even bigger, or in his words, “massive” data dump consisting of millions of data records of users from the U.S. and the EU. Loder, whose Twitter account was suspended shortly after breaking the news on the microblogging platform, said, “I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”
The breached data includes public and private information such as names, Twitter handles, locations, account creation dates, follower and favorites count, email addresses and phone numbers.
The data was scraped through the exploitation of the same vulnerability that was exploited in 2021. While the theft of 5.4 million user data records was carried out by a threat actor going by the name Devil, the theft of another 1.4 million data records was the work of Pompompurin, the owner of the Breached hacking forum who got the vulnerability tip from Devil.
See More: Top Tips for Consumers and Businesses to Stay Safe Online this Holiday Season
Meanwhile, who was behind the “massive” data breach that Loder revealed remains a mystery.
“From what I have confirmed, the breached Twitter data covers, at a minimum, the full phone number spaces for multiple country codes in the EU, and some area codes in the US. The dataset includes verified accounts, celebrities, prominent politicians, and government agencies,” Loder added. “A similar breach was reported in August 2022 by @benlovejoy. But this CANNOT be the same breach, unless Twitter lied.”
The API vulnerability on Twitter, which allowed anyone to find the accounts associated with any phone number and email address through the ‘discoverability’ function, was fixed by the company in January 2022, six months after it was discovered.
Twitter was fined $150 million for lapses in upholding user privacy in May 2022.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock