More than 5.4 million user records for the social media platform Twitter were recently shared free of charge on a hacker forum on the dark web. The files contained non-public information that was stolen by threat actors using an API vulnerability.

However, perhaps more significantly, another colossal data dump containing millions of Twitter records was also by a cybersecurity researcher, to demonstrate just how widely this bug was abused by malicious operators.

The information involved consists of a mixture of scraped public data along with private email addresses and telephone numbers that should not be accessible by all.

The original data breach at Twitter

The data now being sold for free online dates to an incident that occurred last July. A threat operator started selling the private data of more than 5.4 million users via a hacking forum post, requesting a price of $30,000.

Although most of the information was public, like full names, Twitter IDs, login names, verified status and locations, it also included some private information, like phone numbers and personal email addresses.

The data was harvested in December last year utilising a Twitter API vulnerability that was disclosed in the bug bounty program, HackerOne that enabled people to submit email addresses and phone numbers into the API so they could retrieve the Twitter ID connected with the credentials.

Employing this ID, the cybercriminals then scraped public information regarding an account to make a user record that contained both public and private and public information.

Twitter user data shared online

On November 24 this year, the 5.4 million Twitter records were shared for free on a Dark Web hacking forum.

All the data records contain either private phone number or email address and a selection of information, including the user account’s screen name, name, Twitter ID, verified status, URL, location, description, account creation date, follower count, friends count, favourites count, profile image URLs and status count.

While the free release of 5.4 million records is a major concern, a larger data dump was also allegedly created utilising the exact same vulnerability. The report of this more substantial data breach came from cybersecurity expert Chad Loder who posted the news initially on Twitter and later, on Mastodon.

His post read:

“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”

The most common use of exposed sensitive credentials is targeting phishing attacks. With a combination of contact details and personal information, threat actors can craft believable malicious messages that may food victims into clicking on links or downloading attachments. Links may lead to bogus log-in pages that look legitimate but are designed to steal sensitive passwords while attached files can result in malware payloads being dropped on devices.

Following a breach and data disclosure, users with compromised information should be wary of emails from the company involved. Consequently, due to the recent activity on the hacker forum, Twitter users should view any emails that purport to be from the company with suspicion.