A massive Twitter data breach last year that exposed more than five million phone numbers and email addresses was worse than initially reported. Evidence was presented to us that the same vulnerability had been exploited by multiple attackers, and the hacked data was offered for sale by multiple sources on the dark web.
It had previously been assumed that only a hacker could gain access to the data, and Twitter’s late admission reinforced that impression…
HackerOne first reported the vulnerability in January, which allowed anyone to enter a phone number or email address and then find the associated Twitter ID. This is an internal identifier used by Twitter, but can easily be turned into a Twitter handle.
A bad actor would be able to compile a single database combining Twitter handles, email addresses, and phone numbers.
At the time, Twitter admitted the vulnerability existed and was subsequently patched, but said nothing about anyone exploiting it.
restore privacy later reported that a hacker actually exploited the vulnerability to steal personal information from millions of accounts.
A verified Twitter vulnerability published in January was exploited by an attacker to allegedly obtain account details from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired by this exploit is now being sold on a popular hacking forum posted earlier today.
Twitter then confirmed the hack.
In July 2022, we learned through a press report that someone may have taken advantage of this and offered to sell the information they had compiled. After reviewing a sample of the data for sale, we confirmed that an attacker had exploited the issue before addressing it.
Massive data breach at Twitter Plural, not singular
Yesterday there was evidence on Twitter that the same personal data was being accessed by multiple attackers, not just one. 9to5Mac has now seen evidence that this is indeed the case. We were shown a dataset containing the same information in a different format, with one security researcher stating that it was “definitely a different threat actor.” The source told us that this is just one of several files she’s seen.
The data includes Twitter users in the UK, almost all EU countries and parts of the US.
I received multiple files, one per country code of the phone number, pairing the phone number <-> of the Twitter account name for the whole country phone number range from +XX 0000 to +XX 9999.
Any Twitter account that has discoverability | had phone option activated in late 2021 was listed in the record.
The option referenced here is a setting hidden fairly deep within Twitter’s settings and appears to be enabled by default. Here is a direct link.
Bad actors are believed to have been able to download around 500,000 records an hour, and the data has been put up for sale for around $5,000 from multiple sources on the dark web.
Security expert who tweeted about this has suspended account
Another security specialist who tweeted about the issue yesterday had his Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction and was confirmed within minutes.
They told me that multiple hackers obtained the same data and combined it with data from other security breaches.
There appear to have been multiple threat actors operating independently and collecting this data throughout 2021 for both phone numbers and emails.
The email-Twitter pairings were derived by running existing large databases containing over 100 million email addresses through this Twitter detectability vulnerability.
We reached out to Twitter for comment, but Musk fired the entire media relations team, so…
FTC: We use income earning auto affiliate links. More.
Visit 9to5Mac on YouTube for more Apple news: