A Twitter vulnerability first discovered and patched in January 2022 appears to have done much more damage than originally thought.
As Best Product Pro reported a sensitive identity data dump at the end of July 2022 (opens in new tab) information for 5.4 million Twitter users was sold on the dark web. Now, follow-up reports show that not only is that data dump being offered for free, but that a second, potentially even more damaging breach has been committed.
This one, according to Beeping computer (opens in new tab)may contain “tens of millions of Twitter records”, including people’s phone numbers, verified status, account names, Twitter IDs, bios, and screen names.
The findings were initially published by security researcher Chad Loder, who was reportedly banned from Twitter after sharing the news. He has since migrated to Mastodon and published his findings there.
“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US. I have contacted some of the affected accounts and they have confirmed that the breached data is accurate. This breach found no earlier than 2021.” Loder shared on Twitter at the time.
Beeping computer analyzed a sample of the breach, containing more than 1.3 million phone numbers of Twitter users from France, and concluded that the numbers are valid.
“We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying that this additional data breach is real,” the publication said.
These phone numbers were not part of the data dump sold last summer, but almost confirmed that a second breach has occurred.
Beeping computer also managed to get in touch with the person who perpetrated the first data breach, a hacker with the alias “Pompompurin”, who confirmed that they were not responsible for the second breach.
Therefore, it’s safe to assume that multiple threat actors knew about Twitter’s flaw and actively worked to exploit it before it was originally patched.