Cybercriminals started selling the user details of more than 5.4 million Twitter users on a hacking website in July this year after taking advantage of an API flaw that was made public in December 2021. Just as other researchers discovered a compromise affecting millions of accounts throughout the EU and US, a hacker just made this information available for free.
While the majority of the data was made up of publicly available details like Twitter IDs, names, login names, localities, and verified status, it also contained private details like phone numbers and email addresses.
Security specialist Chad Loder was the first to reveal the story, but he was shortly suspended from the microblogging service. According to Loder, they contacted a sample of the impacted accounts and came to the conclusion that the information was accurate and the breach happened in 2021.
The information was first stolen from Twitter exploiting a vulnerability in the application programming interface API of the service, but it is now freely available online. Twitter was open about the initial user ID leak and API attack that affected millions of users. The platform claimed at the time that it was alerting users who they could verify had been affected by the data leak.
The data of 5,485,635 active Twitter users was exchanged freely on a hacking site on November 24. The initial 5.4 million data points were distributed for free in a thread that appeared on BreachForums last week, and as of the time of reporting, the forum thread was still active. Although the forum thread highlighted the other 1.4 million from restricted accounts may still be spreading exclusively in private circles, Gizmodo was unable to confirm the veracity of the information.
A breach of 17 million users would be one of the larger user data breaches, though by no means the largest given that Twitter has more than 200 million active daily users.