Earlier this year, Twitter confirmed that the private user data for 5.4 million users was stolen due to an API vulnerability, but the company said it had "no evidence" that it was exploited. Now, all of those accounts have been exposed on a hacker form, BleepingComputer has reported. On top of that, an additional 1.4 million Twitter profiles for suspended users was reportedly shared privately, and an even larger data dump with the data of "tens of millions" of other users may have come from the same vulnerability.
The owner of hacking forum called Breached told BleepingComputer that it was responsible for exploiting the weakness (originally obtained from another hacker called "Devil") and dumping the user records. It said that it also obtained 1.4 million Twitter profiles for suspended accounts, obtained via another API, but only shared those privately among a few individuals.
On top of all that, security expert Chad Loder has revealed that tens of millions more Twitter records may have been collected using the same API. Once again, data collected may include private phone numbers along with public information. Loder posted a redacted sample on Mastodon, as he was banned on Twitter several days ago for unknown reasons. It could contain over 17 million records, BleepingComputer was told.
The breaches leaked users' private phone numbers and email addresses, which could be used for phishing and other scams. That information could also be exploited to uncover identities from private Twitter accounts. As usual, be very wary of any suspicious emails or texts claiming to come from Twitter — and if you're thinking about using two-factor authentication, now would be a good time.