Twitter Queried in the EU for Data Leak of 5.4 Million Users

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Dec 24, 2022 02:43 pm PST

More than 5.4 million Twitter users were impacted by this leak, which contained both public data scraped from the website and private phone numbers and email addresses. The information was accessed via taking advantage of an API flaw that Twitter rectified a few months back.

Following news allegations of a significant Twitter data leak last month, the Irish Data Protection Commission (DPC) has opened an investigation. It is not taking this likely with Elon Musk’s Twitter Inc.

A revelation that one or more datasets containing user personal information “had been made public on the internet” prompted Ireland’s Data Protection Commission to announce Friday that it had decided to launch an investigation.

Data of Twitter Users put up for sale since July.

Not less than 5.4 million Twitter users’ private data were offered for sale for $30,000 in July 2022 on a hacking site. Even while the majority of the information was made public, including Twitter IDs, names, login names, localities, and verified status. The hacked database also contained private data, including email addresses and phone numbers. The statement continued by stating that “one or more sections of the GDPR and/or the Act may have been, and/or are being, violated with respect to personal data of Twitter Users.”

The Data Protection Commission (DPC), which is Twitter’s primary EU watchdog, is investigating whether the social media behemoth has complied with its obligations. As a data controller regarding the processing of user data and whether any laws, including the General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018, have been broken.

This information was gathered in December 2021 via a Twitter API flaw that was made public through the HackerOne bug bounty program. This flaw allowed anyone to submit email addresses or phone numbers to the API and have them linked to the corresponding Twitter ID.

A Large Amount of other Users’ Data was also Stolen.

Chad Loder, a security expert, also disclosed information about a larger data dump on Twitter and Mastodon. This dump may contain millions of Twitter records with personal phone numbers that were collected using a bug in an API that had already been fixed and some publicly available data, such as verified status, account names, Twitter IDs, bios, and screen names. The same database, which contained 5,485,635 records of Twitter users, was also freely distributed on a hacking forum between September and November.

In addition to publicly scraped information like: the Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs, the records also include a wealth of private user data, such as personal email addresses or phone numbers. Millions of Twitter accounts in the EU and the US were affected by a significant Twitter data breach, Loder claimed.

“I got in touch with a small number of the impacted accounts, and they confirmed that the stolen information is true. This breach did not happen before 2021.” The fact that none of the phone numbers in this leaked database were included in the original data purchased in August 2002 should be noted. This fact illustrates the extensive sharing of Twitter user information across threat actors and the depth of the data breach beyond what was previously known.

Despite the fact that this information has not been independently verified, we were also informed that the second disclosed database has more than 17 million records.

How this Probe further affects Elon Musk

Since taking over in October, Musk has issued bankruptcy warnings for Twitter and implemented a “hardcore” work atmosphere after making significant personnel reductions. A couple of months into his taking over, he has scared off advertisers, alienated some of Twitter’s most enthusiastic creators, and transformed the platform from a place for discussing news to a topic of its own.

An email requesting comment from Twitter was not immediately answered. A number of responses were “supplied,” according to the Irish regulator, who claimed to have “engaged” with it on the subject. This week, the business came to an amicable agreement with a top executive who had been barred from the company’s IT system for failing to reply within a few hours to an email from Musk asking employees if they approved of the new “Twitter 2.0.”

The former head of the department, who filed a lawsuit in Germany for unjust dismissal, said that after Musk’s restructuring, its communications department in Germany no longer existed in addition to closing its Brussels office. The Irish regulator last month fined Meta Platforms Inc. €265 million ($281 million) for failing to stop the leak of the personal information of more than half a billion users of its Facebook site, despite criticism for being slow to act.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x