Twitter accused of covering up data breach that affects millions

enaph

Level 29
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,818
A Los Angeles-based cyber security expert has warned of a data breach at social media site Twitter that has allegedly affected “millions” across the US and EU.

Chad Loder, who is the founder of cyber security awareness company Habitu8, took to the social media site on November 23 to warn users of the alleged data breach that Loder claims occurred “no earlier than 2021” and “has not been reported before”.

In a series of tweets, Loder claimed they had seen the data stolen in the alleged breach and spoken to potential victims of the breach, who had confirmed that the breached data was “accurate”.
 

Gandalf_The_Grey

Level 81
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,012
5.4 million Twitter users' stolen data leaked online — more shared privately
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.

Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.

The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
An even larger data dump privately created

While it is concerning that threat actors released the 5.4 million records for free, an even larger data dump was allegedly created using the same vulnerability.

This data dump potentially contains tens of millions of Twitter records consisting of personal phone numbers collected using the same API bug, and public information, including verified status, account names, Twitter ID, bio, and screen name.

The news of this more significant data breach comes from security expert Chad Loder, who first broke the news on Twitter and was suspended soon after posting. Loder subsequently posted a redacted sample of this larger data breach on Mastodon.

"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder shared on Twitter.

BleepingComputer has obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France.

We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real.

Furthermore, none of these phone numbers are present in the original data sold in August, illustrating how much larger Twitter's data breach was than previously disclosed and the large amount of user data circulating among threat actors.

Pompompurin also confirmed with BleepingComputer that they were not responsible and did not know who created this newly discovered data dump, indicating that other people were using this API vulnerability.

BleepingComputer has learned that this newly discovered data dump consists of numerous files broken up by country and area codes, including Europe, Israel, and the USA.

We were told that it consists of over 17 million records but could not independently confirm this.

As this data can be potentially used for targeted phishing attacks to gain access to login credentials, it is essential to scrutinize any email that claims to come from Twitter.

If you receive an email claiming your account was suspended, there are log in issues, or you are about to lose your verified status, and it prompts you to login on to a non-Twitter domain, ignore the emails and delete them as they are likely phishing attempts.
 

Joofrana

New Member
Nov 29, 2022
0
If this is true, Twitter, now under Elon Musk, will go for a ride with EU institutions for quite a while, since the GDPR demands that companies holding client information disclose any data breaches unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Stolen data from Twitter most likely includes personal e-mails that could be used for phishing attacks. I am interested to see if there will be any developments regarding this matter.
 
  • Like
Reactions: Stopspying

Gandalf_The_Grey

Level 81
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,012
Massive Twitter data leak investigated by EU privacy watchdog
The Irish Data Protection Commission (DPC) has launched an inquiry regarding a massive Twitter data leak following last month's news reports that non-public information belonging to over 5.4 million Twitter user records has been leaked on a hacking forum.

This data was stolen by exploiting an API vulnerability Twitted fixed in January and consists of scraped public info as well as private phone numbers and email addresses.

"The DPC corresponded with Twitter International Unlimited Company ('TIC') in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance," the Irish privacy regulator said on Friday.

"The DPC, having considered the information provided by TIC regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users' personal data."

Twitter's lead EU watchdog wants to determine if Twitter has complied with its obligation as a data controller regarding the processing of users' data and if it infringed any General Data Protection Regulation (EU GDPR) or Data Protection Act 2018 provisions.

The privacy watchdog fined Twitter €450,000 (~$550,000) two years ago for failing to notify the DPC of a breach within the 72-hour timeframe imposed by the GDPR and to adequately document it.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
"A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analyzed it and confirmed the authenticity of many of the entries in the huge leaked archive.
At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.
In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.
The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data. Then the scraped data were offered on various online cybercrime marketplaces....."

 
  • Like
Reactions: Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top