Twitter says recently leaked user data are from 2021 breach

Twitter confirmed that the recent leak of members’ profile information resulted from the 2021 data breach disclosed in August 2022.

Twitter confirmed that the recent data leak of millions of profiles resulted from the 2021 data breach that the company disclosed in August 2022.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums.

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

In August the company confirmed that the data breach was caused by the now-patched zero-day flaw submitted by zhirinovskiy via bug bounty platform HackerOne and that the researcher received a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

In November, the website 9to5mac.com claimed that the data breach was worse than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.

“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.com

9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.

The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.

“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”

The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.

The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”

The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.

Now the company shared the results of the investigation conducted by its Incident Response Team.

“In November 2022, some press reports published that Twitter users’ data had been allegedly leaked online,” reads the update provided by the company. “As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases.”

The company pointed out that no passwords were exposed, however, it encourages its users to enable 2-factor authentication using authentication apps or use hardware security keys to protect their accounts from unauthorized logins.

“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns,” concludes the advisory. “Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]