In January of this year, the Twitter fixed a security flaw in an API, which had been identified as part of its bounty program for identifying these security issues. Months later, in July, he discovered that before he had time to fix the problem, someone had exploited the flaw and was trying to sell the user data obtained that way on an online forum, for $30.
The situation was apparently contained, but it now appears that only temporarily. The same data from 5,4 million users, which includes reserved access data, such as telephone numbers or email addresses, were once again published online, but this time for free. Anyone can access them and use them for whatever they want, including trying to launch phishing or other attacks from there.
The information was advanced by the BleepingComputer website, which had already revealed the attempt to sell the information in the summer. Now move forward also with the information that the data were fully available online, noting that this is not even the worst news that has to be given on the subject.
BUT: Twitter verification badge will have 3 colors, says Musk
A security researcher, Chad Loder, will have discovered another exploit of the same flaw, which will have an even greater volume of data, between public information (identification data in the account or location, for example) and private information of users of the social network. According to the same source, the records identified in this database, mainly of European and North American users, and in the previous one, are not the same. They are from different users.
The author of the discovery first posted it on Twitter, from where he was banned shortly thereafter. The message he shared read: “I have just received evidence of a massive data breach from Twitter affecting millions of accounts in the EU and US. I contacted the author of one of the affected accounts who confirmed that the shared data is correct. This breach did not occur before 2021".
Now at Mastodon, a competitor to Twitter, Loder shared a sample of the list. In the comments to the publication, the man assumes that he identified tens of millions of records, admitting that they could reach 100 million. He also says, in response to a user's request to send a list with more readable information, that he would never disclose personal contact details of third parties.
Meanwhile, the person responsible for the forum that decided to open access to the data of 5,4 million Twitter users to the world had also already told BleepingComputer that, using another API, it still managed to access data from 1,4 millions of profiles suspended by Twitter. This data has also been shared in recent months, but privately and is not part of the database now openly released.
