In January, about 5.4 million Twitter users had their private information stolen from them through an API vulnerability and spread on a hacker forum.
However, another huge and potentially more significant data breach affecting millions has been revealed by a security researcher, according to Bleeping Computer.
Hackers Have Begun Selling Data From The Breach
Last July, a hacker began selling the compromised information of over 5 million Twitter users on a forum for hackers for as much as $30,000.
The data that was compromised from January consists of a mix of private and public information such as phone numbers and email addresses.
It also contained Twitter IDs, names, login names, locations, and verification statuses collected back in December 2021, using a Twitter API issue disclosed in the HackerOne bug bounty program.
This Twitter API vulnerability allowed people to send phone numbers and email addresses into the API, which were then used by hackers to collect the associated Twitter ID.
By using the Twitter ID harvested by hackers, they would get public information about the accounts, which can be used to create a user record.
According to Cyber Security Hub, a hacker who goes by the username "devil" claimed that they are selling the stolen data of more than 5.4 million Twitter accounts.
Since it was reported that there were sample records of Twitter user records, the social network company confirmed the API bug-caused breach in January 2022.
The owner of the breached hacking forum called Pompomurin says that they were responsible for the exploitation of the bug, creating the massive collection of Twitter user records.
However, it was found that in addition to the 5.4 million user records for sale, there are 1.4 million profiles for suspended users collected using a different API.
A Newly Discovered Data Dump Accounts For An Even Larger Number Of Records
While the selling of the 5.4 million Twitter user records on a hacker forum is concerning in itself, Twitter is also faced with an even larger breach that was allegedly made possible using the same API bug.
This data dump reportedly has tens of millions of Twitter user records, including phone numbers, verified statuses, account names, Twitter IDs, bios, and screen names.
In total, there are approximately 17 million records from this recent dump, which can be used to target users in phishing attacks.
Security expert Chad Loder was the first to break this news on Twitter and was immediately suspended from the platform after posting about the larger, more significant data breach.
Bleeping Computer reports that they have confirmed with numerous users that some of the data from the breach are real.
Meanwhile, Pompompurin says that this other massive breach was not their responsibility, and they do not know who created the newly discovered Twitter API bug.
Twitter has not provided any additional information about the issue, but they have warned users to ignore and delete any suspicious emails that can be used to steal login credentials.