A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.
It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression…
HackerOne first reported the vulnerability back in January, which allowed anyone to enter a phone number or email address, and then find the associated twitterID. This is an internal identifier used by Twitter, but can be readily converted to a Twitter handle.
A bad actor would be able to put together a single database which combined Twitter handles, email addresses, and phone numbers.
At the time, Twitter admitted that the vulnerability had existed, and subsequently been patched, but said nothing about anyone exploiting it.
A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.
Twitter subsequently confirmed the hack.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
Massive Twitter data breach plural, not singular
There were suggestions on Twitter yesterday that the same personal data had been accessed by multiple bad actors, not just one. 9to5Mac has now seen evidence that this is indeed the case. We were shown a dataset which contained the same information in a different format, with a security researcher stating that it was “definitely a different threat actor.” The source told us that this was just one of a number of files they have seen.
The data includes Twitter users in the UK, almost every EU country, and parts of the US.
I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.
Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.
The option referred to here is a setting which is pretty deeply hidden within Twitter’s settings, and which appears to be on by default. Here’s a direct link.
Bad actors are believed to have been able to download around 500k records per hour, and the data has been offered for sale by multiple sources on the dark web for around $5k.
Security expert who tweeted about it has account suspended
Another security specialist who yesterday tweeted about the issue had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction, and was confirmed right within minutes.
They told me that multiple hackers obtained the same data and combined it with data sourced from other breaches.
There appear to have been multiple threat actors, operating independently, harvesting this data throughout 2021 for both phone numbers and emails.
The email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.
We would reach out to Twitter for comment, but Musk fired the entire media relations team, so …
FTC: We use income earning auto affiliate links. More.