Twitter today confirmed that the recent leak of millions of member profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022.
Twitter says its incident response team analyzed leaked user data in November 2022 and confirms it was collected using the same vulnerability before being patched in January 2022.
“In November 2022, some news articles published that Twitter user data was allegedly leaked online,” read the update.
Data leak on a hacking forum
In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to provide email addresses or phone numbers and obtain an associated Twitter ID for an account. checked in.
As members’ phone numbers and email addresses are not meant to be public, this could pose a significant risk to the privacy of Twitter users who wish to post anonymously.
By the time Twitter fixed the issue, a malicious actor had already exploited the API vulnerability to capture millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.
This recovered data was then offered for sale on a hacker forum in July 2022 for $30,000, with two people allegedly buying it below the original asking price.
In September 2022 and November 2022, a malicious actor released a JSON file containing the full set of 5.4 million records deleted in 2021, which private broadcast among a small number of threat actors so far.
Around the same time, a researcher also shared samples from a additional set of Twitter profiles recovered using the vulnerability which was not included in the original breach of 5.4 million users.
This dataset would be much larger and contain 17 million records collected using the same API flaw.
Although BleepingComputer was unable to confirm the extent of this additional dataset, we were able to examine a sample of a dataset containing 1.4 million previously undisclosed French Twitter account records.
BleepingComputer used this sample to contact listed Twitter users and confirm that the leaked phone number belonged to them, confirming that this additional data set was valid.
Unfortunately, while Twitter’s latest update indicates that the data leaked last month is related to the previously disclosed vulnerability, the company has not confirmed the exact number of exposed users.
Twitter advises users to enable two-factor authentication, use authenticator apps or hardware keys to protect their accounts, and be extremely vigilant with incoming emails related to their Twitter accounts.
“We also encourage Twitter users to remain extremely vigilant when receiving any type of email communications, as threat actors may exploit leaked information to create highly effective phishing campaigns,” Twitter warns.
“Beware of emails conveying a sense of urgency and emails asking for your private information, always verify that emails are from a legitimate Twitter source.”
Update 12/12/22 – Title changed to indicate the breach occurred in 2021 and was confirmed in August.