While Twitter already claimed it had fixed its API vulnerability, BleepingComputer reports that hackers could exploit 5.4 million users’ data through the same vulnerability. The stolen data is shared for free on a hacking forum.
Back in late July, a dangerous vulnerability in Twitter’s API was found after selling 5.4 million users’ data on a forum for $30,000. The package mainly included general data like Twitter IDs, names, and login names. But also, the user’s phone numbers and email addresses were included in the package. In January, Twitter announced it had covered the flaw in its API. However, hackers disagree with that claim.
The vulnerability in Twitter API reportedly enables hackers to retrieve the associated Twitter ID by submitting phone numbers and email addresses into the API. At the time, Twitter said it had no evidence that hackers could exploit the vulnerability.
Hackers could also steal another 1.4 million Twitter data
Until now, we know that Twitter has lied about fixing the API vulnerability, but the bad news is there is even more leaked data. Pompompurin, the owner of the Breached hacking forum, told the outlet a bad actor called “Devil” informed them of the vulnerability and that they were responsible for creating a massive dump of Twitter user records.
That 5.4 million user data is not the only data stolen from the social media app through its API flaw. Pompompurin claimed they could exploit additional 1.4 million Twitter data for suspended accounts. Ultimately, almost 7 million users’ data is stolen through an API vulnerability. Of course, Pompompurin said the second data package was not sold and was only shared privately among a few hackers.
But more hackers could take advantage of that API vulnerability. And the private data of tens of millions of Twitter users may have already leaked. BleepingComputer says the dump could contain over 17 million records, but they can’t independently confirm the news.
Security expert Chad Loder first shared the news on Twitter, but his account was later suspended. He has now shared a redacted sample of that data on Mastodon. “I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US,” Loder said. He also asserted that the breach occurred no earlier than 2021.
2022-11-30 15:11:36