After being made public in July, private Twitter data relating to 5 million users was reshared in a hacker forum last Thursday. Whereas the July leak cost $30,000, Thursday's dump was provided at no cost.
User Personal Information Exposed
Over the weekend, Pompompurin, the owner of the hacking forum HackerOne, revealed to BleepingComputer that his site was responsible for the first data dump.
A Twitter API bug was discovered in December as part of the forum's bug bounty program, allowing people to retrieve specific Twitter IDs by uploading an affiliated phone number or email address. This enabled threat actors to create user profiles on millions of accounts by combining public and private information.
By July, enough data had been collected for a threat actor to begin selling the private information of 5.4 million users on an online forum for $30,000 USD. This information included phone numbers and email addresses, as well as publicly available information such as names, Twitter IDs, locations, login names, and verified status.
In addition, a second data breach influencing 1.4 million suspended users occurred, bringing the total number of affected profiles to nearly 7 million.
On November 24th, a data portion affecting 5.4 million users was openly reshared on a hacking forum. This is, according to Pompompurin, the same data that was for special offers for thousands of dollars in July and August.
Another Significant Breach?
While the API bug that allowed the data to be discovered had been fixed by January 2022, the same exploit has reportedly been used to carry out an even larger data breach.
Last Wednesday, security expert Chad Loder claimed on Twitter that he had received evidence of a breach affecting millions of American and European users. "The dataset contains verified accounts, celebrities, political figures, and government agencies," he continues.
Chad Loder's account was suspended shortly after his claims were published. Multiple cryptocurrency firms, including Celsius and OpenSea, were hit with an email data breach in July as a result of a rogue employee at Customer.io, which handled both firms' customer communications.
Do you think there is anything that can be done to protect our data from being leaked online? Let us know your thoughts by sharing this article online.