Over 5.4 million user records from Twitter containing private information are being distributed freely on a hacking forum. The data was scraped off Twitter using an API vulnerability fixed in January this year.
The vulnerability in question allowed attackers to input private information like email addresses or phone numbers when logging into Twitter and fetch the Twitter ID associated with them. The vulnerability was disclosed in Twitter’s HackerOne bug bounty program and allowed a threat actor named ‘devil’ to scrape data off twitter, which they attempted to sell on a hacking forum in July this year for $30,000.
This threat actor shared this API vulnerability with Pompompurin, the owner of BreachForums, who then exploited the bug further and created the data dump. Pompompurin confirmed to the BleepingComputer that this was the same data dump on sale on the forum containing 5,485,635 Twitter user records.
Since then, the database has been shared for free in September and now on November 24 on BreachForums. In addition to the 5.4 million records, there was also an additional 1.4 million Twitter profiles of suspended users collected using a different API, bringing the total to 6.8 million publicly available on the forum.
According to security researcher Chad Loder, there are also reports of an even larger database consisting of tens of millions of Twitter profiles, who spoke about the dump on Twitter itself and were later suspended from the platform. Loder has since posted a redacted sample of this database on Mastodon.
The database reportedly contains multiple files organising the data according to country and area code. This includes regions like Europe, Israel and the USA, with up to 17 million records. The creator of this database is unknown at the time of writing.
In the News: Whatsapp now lets you message yourself