November 28, 2022

Utilizing API security flaws fixed in January, over 5.4 million Twitter user records containing non-public information were stolen through an internal bug and leaked online on a hacker forum.

Last July, malicious actors began selling the private information of over 5.4 million Twitter users on a hacking forum for $30,000 on a hacking forum.

The leaked data includes public information as well as private phone numbers and email addresses that are not intended to be public, as well as Twitter IDs, names, login names, locations, and verified status.

The information was gathered in December 2021 by exploiting a Twitter API vulnerability disclosed in the HackerOne bug bounty program, which permitted individuals to provide phone numbers and email addresses to the API in a bid to get the associated Twitter ID. Threat actors could then scrounge public information about the account using this ID to build user record comprising both personal and public information.

The owner of the Breached hacking forum, Pompompurin, explained that “they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as ‘Devil’ shared the vulnerability with them.”

The sources for this piece include an article in BleepingComputer.