Twitter’s API once held such an easily exploitable flaw that hackers managed to grab 5.4 million user details. Now, according to reports and mentions from users in hacker forums, there are several million more points of user data floating around on the internet.
BleepingComputer reported Monday that the 5.4 million user records containing passwords, phone numbers, emails and more may have been just the tip of the iceberg for a much larger breach in company data. The data had been originally jacked from Twitter using a flaw in the platform’s application programming interface (API), but is now being shared openly online. As summarized at the start of this year by HackerOne, hackers found there was a way to allow anyone to get the Twitter ID of a user by submitting their phone number or email to the system, even if the user had turned off that option in their account.
Twitter came clean about the original exploit in their API and the breach of millions of user IDs. At the time, the platform said it was notifying users they could confirm were impacted by the data breach. But noted anti-fascist researcher and security wonk Chad Loder included some proof of an additional data theft on his Mastadon profile on November 25. Loder told 9to5Mac last week that there appeared to be “multiple threat actors, operating independently” taking data from the UK, some EU nations, and some parts of the U.S., mostly from late 2021. That second data set could include somewhere around 1.4 million more profiles.
A thread published on BreachForums, AKA Breached, last week shared the original 5.4 million data points for free, and as of reporting that forum thread is still up and running. Gizmodo was unable to confirm the authenticity of the data, though the forum thread noted the additional 1.4 million from suspended accounts may still be spreading only in private circles.
Though there is still a question of how many of those accounts include new info. LeakCheck, a cybersecurity password checker, noted on that same forum thread that maybe only 12% of those emails found in the more than 500GB of data were new, AKA that haven’t been found in previous leaks.
Gizmodo reached out to LeakCheck for confirmation but we did not immediately hear back.
So that’s up to 7 million users or former users who may have their account info floating around the internets. BleepingComputer also said it had contacted the user who goes by Pompompurin, the owner of Breached, who claimed to be the original hacker who exploited Twitter late last year. The 1.4 million records were not supposed to be public, according to Pompompurin, though it seems they’ve been leaked anyway. BleepingComputer noted the data could consist of over 17 million users’ records, much more than what was originally reported, though the full number hasn’t been legitimately identified.
Hackers on the Breached hacker forum had originally put up that data for $US30 ($42) million, but this most recent report now says the data is up for free online. BleepingComputer noted it gained access to a 1.37 million portion of the leaked records for users in France. It has since confirmed with at least some of those users listed in the leak that their numbers were valid. There could be even more phone numbers in the newest listing compared to what was shown earlier this year.
Though Twitter has more than 200 million active daily users (even though CEO Elon Musk is excessively claiming those users are on the rise) a breach of 17 million would be one of the bigger user data breaches, though not the largest by any stretch. A hacker previously stole 100 million instances of user info from CapitalOne, and the hacker responsible was sentenced to five years of probation. LinkedIn has dealt with 500 million user profiles scraped from their systems. Ride hailing company Uber has experienced major hacks of user data twice, one in 2016 and another just a few months ago.
Gizmodo reached out to Twitter but in the age of Musk and the apparent end of Twitter’s press team, we have not heard back from the company in weeks.
Editor’s Note: Release dates within this article are based in the U.S., but will be updated with local Australian dates as soon as we know more.