As per reports, the PII of over 5.4 million Twitter users has been leaked on a hacking forum, where anyone can use it to perform malicious operations.
While this was reportedly obtained through an API bug on Twitter – which is now fixed, there’s another dump containing over 17 million records is being shared privately. This could be used for targeted phishing attacks, warns researchers.
Twitter User Data Leak
In what is termed a serious data leak in Twitter’s history, over 5.4 million records of Twitter users have been leaked for free in a hacking forum. This was the same dataset that was previously traded for $30,000 – and obtained through an API bug in Twitter.
Though Twitter patched this bug earlier this year, the damage has already been done, as multiple threat actors have exploited this already. Aside from this, there are other 1.4 million Twitter profiles of those who’ve been suspended that were also stolen.
As per reports, this dump of nearly 7 million Twitter profiles contains either a private email address or phone number, Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.
While someone dumped the first database (5.4 million) for free, the second one containing 1.7 million records was only shared privately among a few people. But that’s not all; BleepingComputer reported that another database containing 17 million records on Twitter users is also being shared privately.
The publication obtained a sample of more than 1.3 million phone numbers list of users in France and confirmed it to be authentic. Moreover, this dump has phone numbers that were not present in the original database that is now offered for free.
Reports on how this fresh database was acquired are still unknown, but it’s said to contain numerous files broken up by country and area codes, including Europe, Israel, and the USA.
These details can be used for targeted phishing attacks, for seeking more information, and for malicious uses. So watch out for emails that pretend to be coming from Twitter and asking you to join in a non-Twitter domain. Ignore it if looked suspicious.