Millions of Twitter users have had their data leaked online

Twitter logo displayed on a smartphone
(Image credit: Shutterstock / XanderSt)

A Twitter vulnerability first discovered and patched in January 2022 seems to have caused a lot more damage than initially thought. 

As TechRadar Pro reported in late July 2022, a data dump of sensitive identity information for 5.4 million Twitter users was sold on the dark web. Now, follow-up reports are saying that not only is that data dump being offered for free, but a second, potentially even more damaging breach has been committed.

This one, according to BleepingComputer, potentially contains “tens of millions of Twitter records”, including people’s phone numbers, verified status, account names, Twitter IDs, biographies, and screen names.

Authenticity confirmed

The findings were initially published by security researcher Chad Loder, who was allegedly banned from Twitter after breaking the news. He has since migrated to Mastodon, and published his findings there. 

"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder shared on Twitter at the time.

BleepingComputer analyzed a sample of the breach, containing more than 1.3 million phone numbers of Twitter users from France, and came to the conclusion that the numbers are valid. 

“We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real,” the publication noted. 

These phone numbers were not part of the data dump that was being sold last summer, all but confirming that a second breach has occurred. 

BleepingComputer also managed to get in touch with the person who made the initial data breach, a hacker going by the alias "Pompompurin", who confirmed that they were not responsible for the second leak. 

Therefore, it’s safe to assume that multiple threat actors knew about Twitter’s flaw and actively worked to exploit it before it was originally patched.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.