There are over 5 million user records that have been shared for free on the hacker forum.
Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors
The data includes private phone numbers and email addresses that are not meant to be public.
The Twitter data breach
A threat actor began selling the private information of over 5 million people on a hacking forum for $30,000.
PLAYTop StoriesRead MoreRead MoreRead MoreRead MoreRead MoreRead More1/1Skip AdContinue watchingafter the adVisit Advertiser websiteGO TO PAGE
Private information such as phone numbers and email addresses were included in the data, which was mostly public information.
The data was collected in December of 2016 using a vulnerability disclosed in the HackerOne bug bounty program that allowed people to submit phone numbers and email addresses into the service.
The threat actors could use this ID to gain access to the account and create a user record containing both private and public information, as shown below.
BleepingComputer was told multiple threat actors were using the bug to steal private information from Twitter, but it’s not clear if the disclosure was leaked.
After BleepingComputer shared a sample of the user records, the social media company confirmed they had suffered a data breach due to a bug that was fixed in January.
Pompompurin told BleepingComputer that they were responsible for exploiting the bug and creating the massive dump of user records after another threat actor shared it with them.
In addition to the 5.4 million records for sale, there were also an additional 1.4 million profiles for suspended users, bringing the total to almost 7 million accounts containing private information.
Pompompurin said that the second data dump was only shared among a few people and not sold.
Twitter data shared on a hacking forum
On November 24th, the 5.4 million Twitter records were uploaded for free on a hacking forum.
Pompompurin has confirmed to BleepingComputer that this is the same data that was sold in August.
The records contain either a private email address or phone number, and public data such as the account’s name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs
An even larger data dump privately created
Threat actors released over 5 million records for free, but an even larger dump was created using the same vulnerability.
Tens of millions of personal phone numbers, account names, bio, and screen name are included in the data dump.
Chad Loder, a security expert, was suspended from his job after he broke the news on the social network. A redacted sample of the larger data breach was posted by loder.
There is evidence that millions of accounts in the EU and US have been compromised. I contacted a sample of the affected accounts and they confirmed the data was accurate. The breach occurred no earlier than 2020.
BleepingComputer obtained a sample file of this previously unknown data dump, which contained 1,377,132 phone numbers for users in France.
We have confirmed that the phone numbers are valid with many users in the leak.
The large amount of user data circulating among threat actors is shown by the fact that none of these phone numbers are present in the original data sold.
Pompompurin confirmed with BleepingComputer that they were not responsible and that other people were using the vulnerability.
BleepingComputer has learned that the data dump consists of files broken up by country and area codes, including Europe, Israel, and the USA.
We were told that it has over 17 million records, but we could not confirm this.
It is important to scrutinize any email that claims to come from the social network as this data can be used in targeted attacks to gain access to login credentials.
If you receive an email claiming your account was suspended, there are log in issues, or you are about to lose your verified status, you should ignore the email and uninstall it.
BleepingComputer reached out to the micro-blogging site on Thursday about the new data dump, but has yet to hear back.