Source: Alphacoders
Private Twitter data pertaining to 5 million users was reshared in a hacker forum last Thursday after first being leaked in July.
Whereas July’s leak came with a price tag of $30,000, Thursday’s dump was provided for free.
Pompompurin, the owner of the hacking forum HackerOne, confirmed to BleepingComputer over the weekend that his site was responsible for the initial data dump.
Back in December, a Twitter API bug was discovered as part of the forum’s bug bounty program, which let people retrieve specific Twitter IDs by submitting an associated phone number or email address. This allowed threat actors to build user records on millions of accounts using both public and private information.
Enough data was collected by July for a threat actor to start selling the private info of 5.4 million users for $30,000 in an online forum. This data included phone numbers and email addresses, alongside public information like names, Twitter IDs, locations, login names, and verified status.
In addition, a second data breach affecting 1.4 million suspended users took place, taking the total of affected profiles up to almost 7 million.
The data batch affecting 5.4 million users was freely reshared on a hacking forum on November 24th. According to Pompompurin, this is indeed the same data that was for sale for thousands of dollars in July and August.
“These records contain either a private email address or phone number, and public scraped data, including the account’s Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs,” wrote BleepingComputer.
While the API bug used to discover the data had been fixed by January 2022, the same exploit has reportedly been used to enact an even larger data breach.
Security expert Chad Loder claimed as much over Twitter last Wednesday, saying he’d received “evidence” of a breach affecting millions of American and European users. “The dataset includes verified accounts, celebrities, prominent politicians, and government agencies,” he added.
Chad Loder’s account was suspended shortly after publishing his claims.
Multiple crypto firms including Celsius and OpenSea were struck with an email data breach in July due to a disgruntled employee at Customer.io, which handled customer communications for both firms.