iStockphoto
Thousands of people are not happy after learning that hackers stole and released millions of Twitter users’ private data for free on the internet.
Bleeding Computer reports, “While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses.”
Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.
Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.
They also report that in addition to the 5.4 million Twitter records of current users, the hackers also stole the private data of an additional 1.4 million Twitter profiles for suspended users.
The initial hack took place in July of 2021, but prior to this past week the information wasn’t freely available to anyone who wanted it.
In September, and now last week, the data has been released for free on a hacking forum, allowing any phishing actor to use the data in targeted attacks.
Another data set consisting of 1.4 million suspended users was not released, and was circulated privately.
— BleepingComputer (@BleepinComputer) November 27, 2022
On November 24th, the data of 5,485,635 current Twitter users was posted and shared for free on a hacking forum.
While it is concerning that threat actors released the 5.4 million records for free, an even larger data dump was allegedly created using the same vulnerability.
This data dump potentially contains tens of millions of Twitter records consisting of personal phone numbers collected using the same API bug, and public information, including verified status, account names, Twitter ID, bio, and screen name.
Many Twitter users are upset that their private data may have been released by hackers online
So, while Apple allegedly is threatening to pull Twitter from its iOS App Store (at least according to Elon Musk), many users of Twitter are expressing serious concern that their personal data may have been stolen through the app being hacked.
If you receive an email claiming your account is suspended, there are log in issues, or you will lose your verified status, and it prompts you to login on to a non-Twitter domain, ignore the emails and delete them as they are likely #phishing attempts.https://t.co/DvscSlZipB
— Dianne Woodward (@WoodwarddianneJ) November 28, 2022
“Will the @elonmusk fanboys also spin this in a positive light, just like all his recent, terrible business decisions?” one user tweeted.
“I’ve already gotten phishing text messages,” another user commented.
But hey, let’s focus on the blue check mark instead… 🤦♂️
— Ryan Degner (@Ryan_Degner) November 28, 2022
“This is precisely why I refuse to share my phone number with any website. Twitter needs to remove the phone number verification immediately,” someone else wrote.
The data dump was identified by the founder of cyber security awareness company Habitu8, Chad Loder, who shared the news in a post on his Twitter handle on November 23 and had his account suspended shortly after posting the information.
— Punch Newspapers (@MobilePunch) November 28, 2022