Twitter data breach exposes 7 million users’ private information

A Twitter API vulnerability patched in January 2022 was widely exploited by threat actors before the fix, with one having shared the private information of 7 million users on a hacker forum.

According to Bleeping Computer, a security researcher has disclosed another, possibly more significant, data dump of millions of Twitter records containing non-public information, including phone numbers and email addresses.

In July 2022, a malicious actor started trying to sell the 7 million Twitter users’ private information — which they obtained by exploiting the API vulnerability — on the Breached hacking forum.

The flaw allowed malicious actors to enter phone numbers and email addresses into the API to get associated Twitter IDs, which they could then use to scrape further information.

Twitter confirmed that it had suffered a data breach after it saw a sample of the stolen user records. It said it had patched the vulnerability in January 2022.

Pompompurin, the owner of the Breached hacking forum, told BleepingComputer that the group was responsible for exploiting the flaw and creating the massive dump of Twitter user records.

The data includes private information from 1.4 million suspended accounts and 5.4 million active profiles, bringing the total number of profiles in the data dump to nearly 7 million.

The records are now being shared for free on a hacking forum.

Security researcher Chad Loder disclosed another, even larger data breach on Twitter on Wednesday, 23 November.

While the data includes similar information, the breach is far more widespread, affecting all Twitter accounts that have the “Let others find you by your phone” discoverability feature enabled.

“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US,” Loder’s post read.

“I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”

Loder’s account was suspended soon after disclosing the data breach on Twitter. It is unclear why his account was suspended, with Twitter stating that it suspends accounts that violate its rules.