Massive Twitter data breach worse than reported; multiple hacks

A massive data breach on Twitter last year, which exposed more than five million phone numbers and email addresses, was worse than initially reported. We have obtained evidence that the same security vulnerability has been exploited by multiple attackers, and the hacked data has been made available for sale on the dark web by various sources.

It was previously thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression…

Background

HackerOne First reported the vulnerability in January, which allowed anyone to enter a phone number or email address and then find the associated twitterID. This is an internal identifier used by Twitter, but can easily be converted into a Twitter handle.

A bad actor would be able to put together a single database that combines Twitter handles, email addresses, and phone numbers.

At the time, Twitter admitted that the vulnerability existed and was subsequently patched, but said nothing about anyone exploiting it.

Restore privacy then reported that a hacker had indeed used the vulnerability to obtain personal information from millions of accounts.

A verified January Twitter vulnerability was exploited by a threat actor to obtain account credentials, reportedly belonging to 5.4 million users. While Twitter has since patched the vulnerability, the database reportedly obtained by this exploit is now being sold on a popular hacking forum, posted earlier today.

Twitter subsequently confirmed the hack.

In July 2022, we learned through a press release that someone may have taken advantage of this and offered to sell the information they had collected. After reviewing a sample of the data available for sale, we confirmed that an attacker exploited the issue before it was fixed.

Massive Twitter data breach plural, not singular

There were suggestions on Twitter yesterday that the same personal information had been used by multiple bad actors, not just one. 9to5Mac has now seen evidence that this is indeed the case. We were shown a dataset containing the same information in a different format, with a security researcher stating it was “definitely a different threat actor.” The source told us this was just one of many files they’ve seen.

The data includes Twitter users in the UK, almost every EU country and parts of the US.

I obtained several files, one per phone number country code, containing the phone number <-> Twitter account name link for the entire country phone number space from +XX 0000 to +XX 9999.

Any Twitter account with the discoverability | Phone option enabled end of 2021 was mentioned in the data set.

The option referenced here is a setting hidden pretty deep in Twitter’s settings that seems to be enabled by default. Here’s a direct link.

Bad actors are believed to have been able to download about 500,000 records per hour, and the data has been offered for sale by multiple sources on the dark web for about $5,000.

Security expert who tweeted about it has account suspended

Another security specialist who tweeted about the issue yesterday was suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction and was confirmed within minutes.

They told me that multiple hackers had obtained the same data and combined it with data from other breaches.

It appears that there have been multiple threat actors operating independently and collecting this data throughout 2021 for both phone numbers and emails.

The links between email and Twitter were obtained by running existing large databases containing more than 100 million email addresses through this vulnerability in Twitter.

We were going to reach out to Twitter for comment, but Musk fired the entire media relations team, so…

Photo: Unsplash

FTC: We use auto affiliate links that generate revenue. More.


Watch 9to5Mac on YouTube for more Apple news:

Leave a Reply

Your email address will not be published. Required fields are marked *