Data Of More Than 200 Million Twitter Users Is Leaked

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Dušan Trojanović / Last Updated: 01/16/2022

Reviewed By: Dalibor Gašić

View Our: Editorial Process

Summary Of The Attack

• Data collection sale was started on 4th December 2023 containing more than 200 million Twitter profiles.
• The breached data was released as a 59 GB RAR archive.
• The vulnerable API was compromised by the scrapers using earlier data collections.
• Twitter users should be aware of targeted phishing scam campaigns.

What Happened?

On 4th December 2023, on the hacking forum, a threat actor sold a data collection containing more than 200 million Twitter profiles for hacker forums eight credits, which were worth almost $2.

The first 5.4 million user data collection was offered for sale in July for $30,000 and eventually on 27th November 2022 made available for free. In November, a second data file purportedly comprising information on 17 million individuals was also making its way around privately.

On numerous online hacker forums and marketplaces dedicated to cybercrime, threat actors have been selling and disseminating large data collections of scraped Twitter user profiles since 22nd July 2022.

These profiles included both private phone numbers and email addresses, usernames, screen names, following counts, account creation dates as well as public data.

By taking advantage of a Twitter API flaw that allowed users to enter email addresses and phone numbers to verify whether they were connected to a Twitter ID, these data collections were created in the 2021 year.

Today’s disclosure does not include information on whether an account is verified, in contrast to earlier leaks of data gathered via this Twitter API issue.

What Was The Impact?

The breached data have been released as a 59 GB RAR archive including six text files.

Specific customer information may or may not be in this data collection, depending on whether or not the email address was revealed in prior data breaches.

In addition, this disclosure raises serious privacy concerns, particularly for anonymous Twitter users.

It might be feasible to identify anonymous Twitter users using this leak and reveal their true identities, which can put at risk many dissidents, journalists, activists, and similar users around the world.

Despite the fact this data leak just includes email addresses, threat actors may exploit it to launch phishing attacks on accounts, particularly verified ones.

Large groups of followers from verified accounts are highly prized because they are frequently utilized in internet scams to steal cryptocurrency.

Who Is Responsible For This Attack?

No hacker organization has taken responsibility for the data breach.

The only available information is that a threat actor called StayMad published data on a hacking forum.

How Did The Attack Happen?

These data collections were produced in 2021 by exploiting a vulnerability in the Twitter API that let users enter email addresses and phone numbers to check whether they were linked to a Twitter ID.

In this data breach, threat actors merged available public data with private email addresses and phone numbers to develop profiles of Twitter users by using another Twitter API to scrape the public Twitter data for the IDs.

The API vulnerability was then fed these lists by the scrapers to determine whether your phone number or email address had a corresponding Twitter ID.

Despite the fact Twitter patched this vulnerability in January 2022, several threat actors have recently started to distribute the data collections they obtained over a year ago for free.

Security experts had previously found databases of Twitter credentials for sale in July of that year, despite the company’s claims that it had no evidence that anyone had exploited the vulnerability at the time.

How Can This Attack Be Prevented?

Similar attacks can be prevented by securely developing APIs, aligning with API security best practices constant monitoring and protection against new and unknown threats as well as performing regular penetration testing.

To check whether our account has been compromised we can use a data breach notification service called ‘Have I Been Pwned’ has integrated the Twitter data leak into its system and has started informing its subscribers whose email addresses were discovered in the data breach collections.

The aim of targeted phishing scams is to steal your passwords or other sensitive information, so all Twitter users should be on the watch for these possible attempts.

Users who log into other digital services like bank accounts or cloud storage services using the same account credentials as they do for Twitter run a particularly high risk since hackers may exploit the information obtained from the leak to gain access to user accounts elsewhere.

Internet users should create distinct passwords for each online service they use and maintain them with a digital password manager in order to safeguard themselves from phishing attacks.

Additionally, we should turn on multi-factor authentication for each of their accounts and use caution when clicking on links or emails that they did not ask for.

Related Articles:

• Slack GitHub Account Hack
• Microsoft Azure Services Vulnerable To SSRF
• Data Of 228 Million Deezer Users Stolen
• Malware Targets 30+ WordPress Plugins
• Kubernetes Clusters Hacked