In the last week, 5.4 million accounts leaked after a security breach in Twitter were made available for free on a hacker forum. The account leaks, which reveal phone numbers and email addresses, took place in July.
Information on the free “distribution” of the accounts was revealed by the website BleepingComputer🇧🇷 In July, the “package” of accounts was on sale for US$ 30,000 (R$ 161,001.00 in direct conversion). Last week, the database was released free of charge to forum users.
5.4 million Twitter accounts leaked in forum
The owner of the Breached forum, where hackers often sell their “spoils of war”, revealed to BleepingComputer that the accounts made available in the last week are the same sold that were sold in July.
In addition to the 5.4 million Twitter accounts, hackers had access to personal information from over 1.4 million suspended profiles on the platform — in total, there were 6.8 million hacked accounts. However, the owner of the forum stated that the details of the suspended accounts were only disclosed among some members of the forum.
Failure may have generated a second wave of bills
If leaking 6.8 million accounts is already a problem, imagine a second data theft using the same security hole. Recalling the case, the disclosure of accounts in July used a fault found in a Twitter API in December 2021. In January, the social network fixed the problem.
Chad Loder, cybersecurity expert, posted on twitter a new data leak on the social network. Shortly after the case, his account was suspended (still available on the Web Archive), but he enforced the case on his Mastodon account.
The vulnerability took advantage of the option to use the phone number to be found by common contacts. According to Loder, the new leak captures the full numbers of several phones with area codes from European countries and the United States.
The new leak should not be from the same database released in July. The owner of the Breached forum told BleepingComputer that this new data was not aggregated by anyone on the forum, which suggests that other groups took advantage of the vulnerability on Twitter.
The numbers, still unconfirmed, suggest that 17 million accounts had information leaked in the breach. Twitter has yet to release anything on the subject.
With information: BleepingComputer and Engadget