Twitter has now confirmed that the 5.4 million user records leaked and sold on a hacking forum in July this year for $30,000 were in fact collected using the vulnerability the company disclosed in August 2022 that allowed attackers to abuse its APIs to scrape data.
The bug was patched in January 2022 and there was a second leak in November 2022 where the alleged data dump containing 5,485,635 Twitter user records was now being distributed for free. The company has confirmed that the databases from July and November are identical.
The database leaked in November had previously been shared for free on BreachForums in September. Additionally, there were reports of an additional 1.4 million Twitter profiles of suspended users collected using a different API, bringing the total to 6.8 million publicly available on the forum.
According to security researcher Chad Loder, there are also reports of an even larger database consisting of tens of millions of Twitter profiles, who spoke about the dump on Twitter itself and were later suspended from the platform. Loder has since posted a redacted sample of this database on Mastodon.
The database reportedly contained multiple files organising the data according to country and area code. This includes regions like Europe, Israel and the USA, with up to 17 million records.
Twitter was initially informed of the flaw via its bug bounty program earlier in January this year and the issue was fixed upon discovery. The bug allowed anyone to enter an email address or phone number and password on the Twitter log in page and regardless of whether the password was correct or not, returned the associated Twitter ID with the email or phone number.
The bug resulted from an update to the codebase made in June 2021. The company immediately fixed the issue but found no evidence of any exploits. Later in July this year, Twitter learned through a press report that the vulnerability had been explored and the information collected was being sold. After reviewing a sample of the data that the threat actor was selling, Twitter could confirm that the vulnerability had been exploited before it was patched.