Twitter data breach affects 5.4 million users and more could be at stake

An old API vulnerability has been the reason for a data leak of 5.4 million Twitter users in a hacking forum. This leak included a massive amount of Twitter records as per security researcher.

The Twitter data breach had information including mobile numbers and email addresses.

Breakdown on the Twitter Data Breach

In July, an anonymous user started selling personal data of 5.4 million Twitter users for $30,000 USD. It appears most of the data sold in the hacking forum had publicly scraped data including locations, login credentials, verified status, and more.

This Twitter data breach was scraped using a Twitter API vulnerability that allowed users to have alternate sign-in options using phone numbers and email addresses.

This data is then manipulated to obtain all the publicly available information about a user. Twitter also did confirm their data breach and mentioned it happened on Jan 2022.

Along with 5.4 million user records, it seems an additional 1.4 million records were identified that belonged to suspended user accounts leading to a leakage of 7 million records in total. Instead of selling this data on the dark web, users are sharing the same on hacking forums for free.

A new data dump of Tens of millions of Twitter users is identified

Totally different from the 7 million data leaked earlier, a new data dump with tens of millions of Twitter users has been collected using the same API bug again with further data scraping done by the threat actors.

Chad Loder, a Security expert tweeted first about this and a disclosed a sample of this data breach on Mastodon.

Twitter needs to act better while handling vulnerabilities, as the same API vulnerability was used for further data scraping and its definitely not a great security practices from the social media giant.

Considering the massive operational and positional changes that’s happening within Twitter, this new data breach of millions of data will only increase the burden on the company as well as the users, as it is the user’s data that is at stake.

With this Twitter data breach, hackers can perform spear phishing and targeted attacks for further breaches.

If you’re a user reading this, try updating your credentials including passwords, phone numbers if possible and ensure you aren’t using the same ones elsewhere. Considering the data dump and Twitter’s not so serious security posture, nothing is secured and safe.

Recently, Google paid 392 million, followed by Meta paying $276 million in penalties for exploiting user data without their consent. And, Twitter’s data dump theft looks similar to that of Meta’s data scraping and it cost Musk and his newly acquired company a massive penalty if proven true.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.