More than 5.4 million user records from Twitter have been published online, exposing everything from private phone numbers to email addresses.
The data, which was released for free on a popular hacking forum this month, was pilfered last December after hackers exploited an API vulnerability on the social media platform.
Although Twitter says the issue was patched in January after it was reported to the HackerOne bug bounty program, numerous threat actors were able to take advantage before the vulnerability was fixed.
The leak, as first reported by BleepingComputer, contains not only private phone numbers and email addresses but public scrapes of “Twitter IDs, names, login names, locations, and verified status.”
Before being released for free, a hacker had attempted to sell the information on the same hacking forum for $30,000 in July.
The Daily Dot was able to confirm the presence of both private emails and phone numbers in the data breach. The Daily Dot was also able to confirm that the private emails and phone numbers in the data breach included those of high-profile celebrities and politicians.
Aside from the 5.4 million user records, private data on more than 1.4 million suspended Twitter accounts has also been shared privately online. The additional data, according to BleepingComputer, has not been made public.
It also appears that the 5.4 million user records had been briefly offered online for free in September as well.
While the data leak is undoubtedly concerning, an even larger dataset obtained due to the API vulnerability was also discovered this month. Independent researcher Chad Loder noted on Twitter the significance of the separate breach before being suspended from the platform.
“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US,” Loder wrote. “I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”
BleepingComputer also confirmed that the data in the breach referenced by Loder was not the same as the data in the 5.4 million user records. Although unconfirmed, the latest dataset is believed to contain over 17 million records in total.
This post has been updated.