View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 28, 2022updated 14 Dec 2022 10:26am

Twitter data breach worse than first thought, researchers claim

Records of over five million Twitter users are being shared freely online, with multiple hackers exploiting a single vulnerability.

By Claudia Glover

A Twitter data breach announced earlier this year has been revealed to be much worse than thought. It appears that a database containing emails and phone numbers of 5.4 million Twitter users is being shared among numerous hackers, rather than just one offender.

A Twitter data breach this summer exposed over five million user records. (Photo by Ascannio/Shutterstock)

Another database, reportedly featuring records of up to 17 million Twitter users, has also been compiled, apparently using the same methods, though this has not yet been released online. These breaches do not bode well for Twitter’s overall cybersecurity, and could cause a “real risk of backlash on the company,” an expert told Tech Monitor.

How the Twitter data leak happened

The database of the 5.4 million database was released on clear web hacking forum Breached.co last week, and is available to access for free. It has apparently already been accessed by multiple hackers, who have been passing details of users around on the dark web.

It features data from a leak that was uncovered in July, when the private details of millions of Twitter users were found to be on sale online for $30,000. The hackers apparently accessed the data via a vulnerability in an API that Twitter had been aware of since January, which allowed hackers to match email addresses and phone numbers with Twitter handles.

Twitter acknowledged the incident in August. “This bug resulted from an update to our code in June 2021,” a company statement said. “In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”

Another dataset containing a dump of up to 17 million Twitter records is also on the market, according to security researcher Chad Loder. These have not yet been made available for free, but are apparently broken up by country and area codes, including Europe, Israel, and the USA. The number of records in this dataset has not been verified.

What is clear is that the technique has been widely exploited, Loder said. “There appear to have been multiple threat actors, operating independently, harvesting this data throughout 2021 for both phone numbers and emails,” Loder explained. “The email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”

Loder’s Twitter account has since been suspended, but he has continued to post details of the breach on his Mastodon account.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

Twitter’s cybersecurity problems set to continue

Tech Monitor has previously reported on the potential cybersecurity problems created by Musk’s $44bn takeover of Twitter, which led to half of the company’s staff being made redundant. Since Musk bought the company in October he has pursued a stark reorganisation of the company that some analysts worry is having a negative effect on the basic running of the site. 

Though the current problems started before Musk took charge, the platform is likely to have difficulty resolving issues like this in future with so many staff having departed, says Tom Gol, CTO for research at security vendor Armis. “Now, they have a whole new privacy challenge and security risk, which is being exacerbated by employees being let go or leaving – it’s natural that there will be distractions,” Gol says. “It’s these newer sets of challenges that are going to be creating issues. What should drive concern is if there will be enough procedural rigour without the leader at the helm.”

Gol added that Twitter had removed the multi-factor identification security protocol as part of a cull of 80% of the microservices running on the platform. That “doesn’t bode well for the future,” he said.

He adds that Twitter users smarting from the potential exposure of their personal details may have to get used to their information being put at risk. “When services get shut down there should be a wider understanding of the impact that it will have on the business,” Gol says. “With this new frontier of Twitter, it is possible to impersonate anyone or anything around the globe. If we couple that with the determination of hacktivists or even ex-employees, there is a real risk of backlash on the company – and Twitter users could be the ones in the firing line as a result.”

In more positive security news, Musk announced over the weekend that Twitter direct messages would be end-to-end encrypted under proposed changes to the platform, but Gol is sceptical the feature will be introduced imminently. “The platform previously attempted to implement encrypted DMs back in 2018 and gave up for an unknown reason,” Gol says. “Given that the same task took Meta over a year, and that Twitter recently laid off a significant part of its workforce, it may take some time before we see this feature rolled out.”

Read more: Twitter bots – why is it so hard to find out what is real?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU