"5.4 Million Twitter Users' Stolen Data Leaked Online — More Shared Privately"
A hacker forum has shared over 5.4 million Twitter user records containing non-public information stolen using an Application Programming Interface (API) vulnerability fixed in January. A security researcher also revealed another massive, potentially more impactful, data dump of millions of Twitter records, demonstrating how widely threat actors exploited this bug. The information is made up of scraped public information as well as private phone numbers and email addresses. Last July, a threat actor began selling the personal information of over 5.4 million Twitter users for $30,000 on a hacking forum. Although most of the information was public, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. This information was gathered in December 2021 by exploiting a Twitter API vulnerability disclosed in the HackerOne bug bounty program, which allowed people to submit phone numbers and email addresses to the API in order to retrieve the associated Twitter ID. Threat actors could then scrape public information about the account using this ID to create a user record containing both private and public information. In addition, an even larger data dump was allegedly created using the same vulnerability that could contain tens of millions of Twitter records. These include personal phone numbers obtained through the same API bug as well as public information such as verified status, account names, Twitter IDs, bio, and screen names. This article continues to discuss leaks of stolen information on Twitter users.