An old Twitter flaw turns out to be more serious than initially thought

What you need to know

• A vulnerability that Twitter previously claimed to have fixed may have resulted in the compromise of millions of user data.
• Over 5.4 million Twitter user records have reportedly been shared for free on a hacking forum.
• The same vulnerability is also said to have spawned a larger data dump containing "tens of millions" of user data.

An old vulnerability that Twitter claimed was fixed earlier this year continues to haunt the social media company, and it appears to have far more serious security implications than we initially suspected.

BleepingComputer (opens in new tab) reports that personal information of approximately 5.4 million Twitter users stolen as a result of an API vulnerability has been freely shared on a hacker forum. This appears to be the same data dump that a hacker purportedly sold in August for $30,000. 

As a recap, Twitter confirmed in August the existence of an API vulnerability that would enable hackers to identify which account an email address or phone number was associated with, potentially exposing the real identity of pseudonymous accounts. However, the company said then that it found no evidence that this flaw was ever exploited.

The new BleepingComputer report indicates that not only is that data dump offered on a hacker forum for free, but other sets of stolen data have also emerged from the same vulnerability. Pompompurin, which owns the hacking forum known as Breached, told BleepingComputer that they created the data dump after exploiting the bug. They also admitted that the vulnerability was originally obtained from another hacker known as "Devil."

In addition to the 5.4 million user records, Pompompurin claims responsibility for obtaining 1.4 million Twitter profiles for suspended accounts. The hacker claimed that this data dump was obtained using another API, though it was only shared privately with a few people.

However, other people may have exploited the API vulnerability. Security expert Chad Loder has revealed that tens of millions of Twitter user data may have been obtained using the same API. This data dump apparently includes personal phone numbers along with public information such as account names and Twitter ID.

Loder shared a redacted sample of said dataset on Mastodon, as he was banned on Twitter shortly after posting the same information. The affected Twitter accounts are said to be based in the EU and the U.S., and the breach apparently "occurred no earlier than 2021." BleepingComputer learned that the data dump contained more than 17 million records, though it could not confirm this.

According to BleepingComputer, it was able to validate the authenticity of the leaked phone numbers and discovered that these were separate records from the previous treasure trove of data. This implies that the data breach is larger than previously thought.

Android Central has contacted Twitter for comment and will update this article when we hear back.