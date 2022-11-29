The Twitter security flaw that allowed hackers to steal millions of user records was fixed in August this year, but that hasn’t stopped hackers from posting that data for free online. Image : Sergey Elagin ( Shutterstock )

The Twitter API once had a flaw so easy to exploit that hackers managed to obtain 5.4 million user details. Now, according to reports and user mentions on hacker forums, there are several million more user data points floating around the internet.

BleepingComputer reported Monday that the 5.4 million user records containing passwords, phone numbers, emails and more may have been just the tip of the iceberg of a much larger breach in company data. The data was originally pulled from Twitter using a flaw in the platform’s application programming interface (API), but is now openly shared online. how you summed it up HackerOne Earlier this year, hackers discovered that there was a way to allow anyone to obtain a user’s Twitter ID by submitting their phone number or email to the system, even if the user had disabled that option in their account. .

The Twitter API and its visibility settings were exploited to obtain usernames, passwords, phone numbers, and emails in late 2021. Screenshot : Twitter

Twitter be sincere about the original exploit in their API and the breach of millions of user IDs. At the time, the platform said it was notifying users that they could confirm they were affected by the data breach. But the standout anti-fascist researcher and security expert Chad Loder included some evidence of additional data theft in his mastadon profile on November 25. Loder told 9to5Mac last week that there appeared to be “multiple threat actors, operating independently” taking data from the UK, some EU nations and some parts of the US, mostly going back to late 2021. That second data set could include about 1.4 million more profiles.

A thread posted on BreachForums, also known as Breached, shared the original 5.4 million data points for free last week, and at the time of reporting, that forum thread is still up and running. Gizmodo was unable to confirm the authenticity of the data, though the forum thread noted that the additional 1.4 million suspended accounts may still only be spreading in private circles.

The post on Breached that includes a link to download all 5.4 million instances of user data was still live at the time of the report. Screenshot : breached

Although there are still questions about how many of those accounts include new information. LeakCheck, a cybersecurity password checker, noted in the same forum thread that perhaps only 12% of those emails found in the 500+ GB of data were new, meaning not found in leaks. previous.

Gizmodo reached out to LeakCheck to confirm this, but did not immediately hear back.

So that’s up to 7 million users or former users who may have their account information floating around the internet. BleepingComputer also said that he had contacted the user who calls himself Pompompurin, the owner of Breached, who claimed to be the original hacker who exploited Twitter late last year. The 1.4 million records were not supposed to be public, according to Pompompurin, though they appear to have been leaked anyway. BleepingComputer noted that the data could consist of more than 17 million user records, far more than originally reported, though the full number has not been legitimately identified.

Hackers on the Breached hacker forum had originally posted that data for $30 million, but this most recent report now says the data is freely available online. BleepingComputer he pointed which gained access to a portion of 1.37 million leaked records for users in France. Since then, he has confirmed with at least some of the users listed in the leak that their numbers were valid. There could be even more phone numbers on the most recent list compared to what was shown earlier this year.

Although Twitter has more than 200 million daily active users (despite CEO Elon Musk over-claiming that those users They are increasing), a 17 million breach would be one of the largest breaches of user data, though not the largest by any means. A hacker previously stole 100 million instances of CapitalOne user data, and the hacker responsible was sentenced to five years probation. LinkedIn has taken care of 500 million user profiles extracted from their systems. The ride-sharing company Uber has suffered major attacks on user data twice, once in 2016 and once just a few months ago.

Gizmodo reached out to Twitter, but in the age of Musk and the apparent demise of Twitter’s press team, we haven’t heard from the company in weeks.