Twitter confirmed today that the recent leak of millions of members’ profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022.
Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022.
“In November 2022, some press reports published that Twitter users’ data had been allegedly leaked online,” reads the update.
Data leaked on a hacking forum
In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed email addresses or phone numbers and get an associated Twitter ID for a registered account.
As members’ phone numbers and email addresses are not meant to be public, this could pose a significant privacy risk for Twitter users who wish to post anonymously.
By the time Twitter remediated the problem, a threat actor had already leveraged the API vulnerability to input millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.
This scraped data was then put up for sale on a hacker forum in July 2022 for $30,000, with two people allegedly buying it for under the original asking price.
In September 2022 and November 2022, a threat actor released a JSON file containing the complete set of 5.4 million records scraped in 2021, which privately circulated among a small number of threat actors until then.
Around the same time, a researcher also shared samples of an additional set of Twitter profiles scraped using the vulnerability that was not included in the original 5.4 million user breach.
This data set is allegedly far more extensive, reportedly containing 17 million records collected using the same API flaw.
While BleepingComputer has not been able to confirm the extent of this additional data set, we were able to examine a sample of a data set containing 1.4 million previously undisclosed French Twitter account records.
BleepingComputer used this sample to contact listed Twitter users and confirm that the leaked phone number belonged to them, confirming this additional data set was valid.
Unfortunately, while Twitter’s latest update indicates that the data leaked last month is tied to the previously disclosed vulnerability, the company has not confirmed the exact number of exposed users.
Twitter advises that users enable two-factor authentication, use authenticator apps or hardware keys to protect their accounts, and be extra vigilant with incoming emails related to their Twitter accounts.
“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns,” warns Twitter.
“Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.”
Update 12/12/22 – Changed title to reflect that the breach was in 2021 and confirmed in August.