A Twitter vulnerability first discovered and patched in January 2022 appears to have caused much more damage than initially thought.
As TechRadar Pro reported in late July 2022, a data dump of sensitive identity information (opens in a new tab) for 5,4 million Twitter users was sold on the dark web. Now, trace reports indicate that not only is this data dump being offered for free, but a second, potentially even more damaging breach has occurred.
This, according to BleepingComputer(opens in a new tab), potentially contains "tens of millions of Twitter records," including people's phone numbers, verified status, account names, Twitter IDs, biographies and pseudonyms.
The findings were originally posted by security researcher Chad Loder, who was reportedly banned from Twitter after breaking the news. Since then, he emigrated to Mastodon and published his findings there.
“Just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in the EU and US. I contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021,” Loder shared on Twitter at the time.
BleepingComputer analyzed a sample from the breach, which contained more than 1,3 million phone numbers of Twitter users in France, and concluded that the numbers are valid.
"We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying that this additional data breach is real," the post notes.
These phone numbers were not part of the data dump sold last summer, confirming all but a second leak.
BleepingComputer also managed to contact the person behind the initial data leak, a hacker posing as "Pompompurin", who confirmed that he was not responsible for the second leak.
Therefore, it is safe to assume that various threat actors were aware of the Twitter flaw and actively worked to exploit it before it was initially patched.