The data leak contains public information, such as usernames or account names Twitter. More worryingly, it also includes phone numbers and email addresses, which are supposed to remain private.
” I provide you with the data of several Twitter users […]. 5,485,636, to be exact. You will find the information of celebrities, companies, individuals… “. A chilling message, posted on a hacking forum, which gives an idea of the extent of the leaked experienced by the Twittersphere.
A fault that dates back to the end of 2021
At the origin of this massive leak: the exploitation of a zero-day vulnerability on a user account recovery API. The latter gives rise to a function to associate a telephone number or an e-mail address with a particular account. Reserved for internal use, it must be subject to the strictest confidentiality. After identifying the breach through its bug bounty, Twitter corrected it last January. ” We have no trace indicating that it could have been exploited… “, then said the blue bird, in the following months.
Too late, since the user information was collected in December using the method of scraping, allowing to extract data in bulk. Once aggregated, these were made accessible during the summer, negotiated at 30,000 dollars (about 29,000 euros) with several pirates, then made available free of charge.
Expanded, the database concerns 1.4 million French people
But that’s not the end of the story. To this collection of personal data is added, indeed, a new arrival coming to inflate the existing database.
And the bad news is that it concerns more than a million French accounts. This was revealed by Chad Loder, a cybersecurity specialist, by posting an excerpt from his research on the Mastodon social network. Among the accessible data: mobile numbers with codes in +33, biographies and information on verified accounts. Additionally, accounts based in the UK and several regions of the US would also be affected.
Data collection goes even further. The specialized site Bleeping Computer, who was able to exchange with the owner of the forum, indicated that the data of more than a million suspended profiles was also recovered via another API. Information which, this time, would not have “ not been sold, but only privately shared between a few people “, explain the pirates, quoted by the media.
Between unrevealed databases, scattered or shared between hackers only, it is still very difficult to precisely estimate the number of accounts affected by this massive leak. One thing is certain, it is never too late to secure your Twitter account and think twice before opening an email or an SMS from the firm bought by Elon Musk.
Sources: Bleeping Computer, Gizmodo, 9to5Mac
10