More than 5.4 million Twitter user records containing non-public information stolen using an API vulnerability patched in January have been shared for free on a hacker forum.

Another massive, potentially larger data dump of millions of Twitter records has also been leaked by a security researcher, demonstrating how widely this bug has been abused by threat actors.

The data consists of public information retrieved as well as private phone numbers and email addresses that are not meant to be public.

The Twitter Data Breach

Last July, a threat actor started selling the private information of over 5.4 million Twitter users on a hacking forum for $30,000.

While most of the data consisted of public information, such as Twitter IDs, names, logins, locations, and verified statuses, it also included private information, such as phone numbers and email addresses. -mail.

This data was collected in December 2021 using a Twitter API vulnerability disclosed in the HackerOne bug bounty program which allowed people to submit phone numbers and email addresses into the API to retrieve the associated Twitter ID.

Using this ID, threat actors could then harvest public account information to create a user record containing both private and public information, as shown below.

It’s unclear if HackerOne’s disclosure has leaked, but BleepingComputer has been informed that multiple threat actors are using the bug to steal private information on Twitter.

After BleepingComputer shared a sample of user records with Twitter, the social media company have confirmed that they have suffered a data breach using an API bug fixed in January 2022.

Pompompurin, the owner of hacking forum Breached, told BleepingComputer over the weekend that he was responsible for exploiting the bug and creating the mass dump of Twitter user records after another known threat under the name “Devil” shared the vulnerability with them.

In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to nearly 7 million profiles. Twitter containing private information.

Pompompurin said this second data dump was not being sold and was only shared privately among a few people.

Twitter data shared on a hacking forum

In September, and now most recently on November 24, all 5.4 million Twitter records have now been shared for free on a hacking forum.

Pompompurin confirmed to BleepingComputer that this is the same data that went on sale in August and includes 5,485,635 Twitter user records.

These records contain either a private email address or phone number, and retrieved public data, including the account’s Twitter ID, name, handle, verified status, location, URL, description, number of followers, account creation date, number of friends, number of favorites, status counts and profile picture URLs.

An even larger data dump created privately

While it is concerning that the threat actors released the 5.4 million records for free, an even larger data dump was allegedly created using the same vulnerability.

This data dump potentially contains tens of millions of Twitter records consisting of personal phone numbers collected using the API bug, verified status, account names, Twitter ID, bio and screen name.

News of this larger data breach comes from security expert Chad Loder, who broke the news first on Twitter and was suspended shortly after publication. Loder then posted a redacted sample of this larger data breach to Mastodon.

“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US. I have contacted a sample of the affected accounts and they have confirmed that the breached data is accurate . This breach occurred no earlier than 2021,” Loder shared on Twitter.

BleepingComputer obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France.

We have since confirmed with many users in this leak that the phone numbers are valid, verifying that this additional data breach is real.

Additionally, none of these phone numbers are present in the original data sold in August, illustrating how much larger the Twitter data breach was and the vast amount of user data circulating among threat actors. .

Pompompurin also confirmed with BleepingComputer that they were not responsible and did not know who created this newly discovered data dump, indicating that other people were using this API vulnerability.

BleepingComputer has learned that this newly discovered data dump consists of numerous files divided by countries and area codes, including Europe, Israel, and the United States.

We were told it consisted of over 17 million records, but we couldn’t independently confirm that.

As this data can potentially be used for targeted phishing attacks to gain access to login credentials, it is essential to carefully examine any email claiming to be from Twitter.

If you receive an email saying your account has been suspended, there are sign-in issues, or you’re about to lose your verified status, and it prompts you to sign in to a different domain than Twitter, to ignore the emails and delete them as is. probable phishing attempts.

BleepingComputer contacted Twitter on Friday about this additional data dump of private information, but has yet to receive a response.