Twitter’s API once had such an easy-to-exploit flaw that hackers managed to get their hands on 5.4 million user credentials. Now, according to reports and mentions from users on hacker forums, several million points of user data are still floating around the Internet.
Beeping computer reported Monday that the 5.4 million user records containing passwords, phone numbers, emails and more may have been just the tip of the iceberg for a much larger corporate data breach. The data was originally stolen from Twitter using a flaw in the platform’s application programming interface (API), but is now being shared openly online. As summarized earlier this year by HackerOnehackers discovered that there was a way to allow anyone to find out a user’s Twitter ID by providing their phone number or email address to the system, even if the user had disabled that option in their account.
Twitter came clean about the original exploit in their API and the breach of millions of user IDs. At the time, the platform said it was notifying users that they could confirm were affected by the data breach. But noticed anti-fascist researcher and security wonk Chad Loder included proof of an additional data theft Mastadon profile On November 25. Loder told 9to5Mac last week it emerged that there appeared to be “multiple threat actors, operating independently” data from the UK, some EU countries and some parts of the US, mostly from the end of 2021. That second dataset could contain about 1.4 million additional profiles.
A thread published on BreachForums, AKA Breached, shared the original 5.4 million data points for free last week, and as of the time of reporting, that forum thread is still active. Gizmodo couldn’t confirm the authenticity of the data, though the forum thread noted that the additional 1.4 million from suspended accounts may still be spreading only in private circles.
Though it’s still questionable how many of those accounts contain new information. LeakCheck, a cybersecurity password checker, noted in that same forum thread that perhaps only 12% of the emails found in the 500+ GB of data were new, i.e. not found in previous leaks.
Gizmodo reached out to LeakCheck for confirmation, but we didn’t immediately hear back.
So that’s up to 7 million users or former users who may have their account information floating around the internets. BleepingComputer also said it had contacted the user called Pompompurin, the owner of Breached, who claimed to be the original hacker who exploited Twitter late last year. The 1.4 million records would not be public, according to Pompompurin, although it seems that they have been leaked anyway. BleepingComputer noted that the data could consist of more than 17 million user records, far more than originally reported, though the full number has not been legitimately identified.
Hackers on the Breached hacker forum originally posted that data for $30 million, but this most recent report now says the data is free online. Beeping computer noted it gained access to a share of 1.37 million leaked records for users in France. It has since confirmed with at least some of the users listed in the leak that their numbers were valid. There could be even more phone numbers in the latest list compared to what was shown earlier this year.
Although Twitter has over 200 million active daily users (even though CEO Elon Musk claims those users are exaggerating are on the rise) a breach of 17 million would be one of the largest user data breaches, but by no means the largest. A hacker previously stole 100 million user data from CapitalOne and the hacker responsible was sentenced to five years probation. LinkedIn has covered 500 million user profiles scraped from their systems. Ride hailing company Uber has suffered major user data hacks twice, one in 2016 and another just a few months ago.
Gizmodo reached out to Twitter, but in Musk’s era and the apparent end of Twitter’s press team, we haven’t heard from the company in weeks.