The Irish Data Protection Commission (DPC) has launched an investigation into a massive data leak on Twitter following reports last month that non-public information belonging to more than 5.4 million user records from Twitter were leaked on a hacking forum.
This data was stolen by exploiting an API vulnerability that Twitted patched in January and consists of recovered public information as well as private phone numbers and email addresses.
“The DPC has corresponded with Twitter International Unlimited Company (“TIC”) regarding a notified personal data breach that TIC claims to be the source of the vulnerability used to generate the datasets and has raised issues regarding GDPR compliance,” said said the Irish privacy regulator. Friday.
“The DPC, having reviewed the information provided by TIC on this subject to date, is of the opinion that one or more provisions of the GDPR and/or the law may have been and/or are being breached with respect to the Twitter users’ personal data.”
Twitter’s main European watchdog wants to determine whether Twitter has complied with its obligation as a data controller regarding the processing of user data and whether it has breached the provisions of the General Data Protection Regulation (GDPR). EU) or the Data Protection Act 2018.
The Privacy Watchdog €450,000 fine for Twitter (~$550,000) two years ago for failing to notify the DPC of a breach within the 72-hour GDPR deadline and failing to adequately document it.
Meta was also 265 million euros fine ($275.5 million) by the DPC in November for a massive Facebook data breach in 2021 exposing the personal information of hundreds of millions of users worldwide.
Facebook user data was also shared on a well-known hacking forum at the time, allowing threat actors to use it in targeted attacks.
Stolen Twitter user data has been on sale since July
the private information of over 5.4 million Twitter users went on sale on a hacking forum for $30,000 in July 2022.
Although most of this data was public information, such as Twitter IDs, names, logins, locations, and verified status, the leaked database also contained non-public user information, such as addresses. email and phone numbers.
All of this data was collected in December 2021 using a Twitter API vulnerability disclosed via the HackerOne bug bounty program which allowed anyone to submit phone numbers or email addresses into the API to link to their associated Twitter handle.
After BleepingComputer shared a sample of stolen user records with Twitter, the company have confirmed that they have suffered a data breach linked to attackers using an API bug fixed in January 2022.
BleepingComputer discovered that the bug was exploited by Pompompurin, the owner of the Breached hacking forum, which also harvested the information of an additional 1.4 million suspended Twitter users using a different API, which brought the total to nearly 7 million Twitter profiles retrieved for private information.
In September and November, the same database containing 5,485,635 Twitter user records was also shared for free on a hacking forum.
The records contain a wealth of public and private user data, including personal email addresses or phone numbers, as well as deleted public data, including Twitter ID, name, handle, status verified, location, URL, description, number of followers, account. creation date, number of friends, number of favorites, number of statuses and profile picture URL.
Data belonging to tens of millions of other users was also stolen
Security expert Chad Loder also shared on Twitter and Mastodon details regarding an even larger Twitter data dump containing potentially millions of Twitter records with personal phone numbers collected using the now fixed API bug and some public information such as verified status, names account, Twitter ID, bio, and screen name.
“I have just received evidence of a massive data breach from Twitter affecting millions of Twitter accounts across the EU and US,” Loder said.
“I have contacted a sample of the affected accounts and they have confirmed that the hacked data is accurate. This hack occurred no earlier than 2021.”
BleepingComputer has since confirmed with many users affected by this second Twitter leak that the phone numbers are valid, verifying that this additional data breach is also real.
None of the phone numbers from this larger leaked database were present in the original data sold in August 2002, showing the vast amount of Twitter user data exchanged between threat actors and just how much the breach of data from Twitter was larger compared to what was before. known.
We were also told that the second leaked database contains over 17 million records, but we could not independently confirm this information.
Although BleepingComputer has contacted Twitter about this additional data dump of private user information, we are still awaiting a response.