Twitter acknowledged on August 5, 2022, that a threat actor had compiled a database of user data using a zero-day vulnerability. According to the microblogging service, this vulnerability was patched in January 2022, which breach has affected at least 5 million Twitter users, with a potential total of 20 million.
However, today, Bleeping Computer has reported that the database, which includes non-public information of more than 5 million users, has now been shared for free within a breached data marketplace forum. The data also reports that another database, potentially containing 17 million records, was created using the same vulnerable activities.
Twitter Confirmed Zero-Day Hack
Confirming the API zero-day vulnerable activities, Twitter in August this year, released an official statement to this effect. The statement reads:
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” The statement continued: “…we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
Revealing the Twitter User Records Shared Online
The database of 5,485,635 Twitter user records, which was first made available for sale for $30,000 in July, was released on November 24 on the Breach Forums website for free, according to the Bleeping Computer report. Most of the information, including Twitter identities, login names, and verification status, appears to be known to the general public. Private information, such as phone numbers and email addresses, is, according to the report, also provided.
As first revealed by a hacker on the HackerOne bug bounty platform (who earned a $5,000 payout from Twitter) the data appears to have been collected using an Application Programming Interface (API) flaw, allowing the data to be scrapped.
Huge Data Stolen from Twitter Users: Researcher
Chad Loder, a database researcher, also asserted that there is a larger database of stolen data that is distinct from the one that was previously disclosed but contained data gathered using the same API vulnerability. After being banned from Twitter, Loder posted to Mastodon a screenshot that had been censored and purportedly showed information from the new database, which, according to Loder, has information on whole nations.
Bleeping Computer received a sample of this database, which contained more than a million phone numbers for French Twitter users. The magazine claims that it has since verified with numerous users that the statistics are real and that the database contains member lists from Europe, Israel, and the United States in addition to the United States.
“We were told that it consists of over 17 million records but could not independently confirm this.” Bleeping Computer report added.