Twitter has affirmed that the latest leak of millions of members’ profiles, such as private phone numbers and email addresses, was caused by the same data breach divulged by the company in August 2022.
In 2021, a vulnerability in Twitter’s API caused a data leak that exposed private user profile information, affecting at least 5.4 million of the platform’s estimated 200 to 300 million users (at the time). The information is now freely available on a dark web forum.
Several parties were allegedly able to access the API by entering phone numbers and email addresses; matches to an account returned non-public contact and platform use information. The API flaw allows an attacker to enter email addresses or phone numbers to obtain a Twitter ID for a registered account. Twitter is said to have patched the security flaw in January 2022.
In July 2022, the contents of the data leak were first listed for sale on an underground forum, with one of the hackers asking $30,000 for a collection of 5.4 million Twitter user files. The API flaw exposed the account’s email address and phone number, as well as the city the user lives in (if provided) and some non-public usage and engagement metrics.
While Twitter’s most recent update indicates that the data leaked last month is related to the recently reported vulnerability, the company has not revealed the exact number of users who were exposed.
The sources for this piece include an article in BleepingComputer.