Massive Twitter data breach was far worse than reported

A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.

It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression …

Background
HackerOne first reported the vulnerability back in January, which allowed anyone to enter a phone number or email address, and then find the associated twitterID. This is an internal identifier used by Twitter, but can be readily converted to a Twitter handle.

A bad actor would be able to put together a single database which combined Twitter handles, email addresses, and phone numbers.

At the time, Twitter admitted that the vulnerability had existed, and subsequently been patched, but said nothing about anyone exploiting it.

Restore Privacy subsequently reported that a hacker had indeed used the vulnerability to obtain personal data from millions of accounts.

Massive Twitter data breach plural, not singular
There were suggestions on Twitter yesterday that the same personal data had been accessed by multiple bad actors, not just one. 9to5Mac has now seen evidence that this is indeed the case. We were shown a dataset which contained the same information in a different format, with a security researcher stating that it was “definitely a different threat actor.” The source told us that this was just one of a number of files they have seen.

The data includes Twitter users in the UK, almost every EU country, and parts of the US.

The option referred to here is a setting which is pretty deeply hidden within Twitter’s settings, and which appears to be on by default. Here’s a direct link.

Bad actors are believed to have been able to download around 500k records per hour, and the data has been offered for sale by multiple sources on the dark web for around $5k.

Security expert who tweeted about it has account suspended
Another security specialist who yesterday tweeted about the issue had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction, and was confirmed right within minutes.

They told me that multiple hackers obtained the same data and combined it with data sourced from other breaches. 9to5Mac