EU Privacy Watchdog investigates massive Twitter data leak

Source: DALL-E

Following November 2022 news reports, the Irish Data Protection Commission (DPC), has opened an investigation into a major Twitter data leak. It was revealed that over 5.4 Million Twitter records had been compromised by hackers.

The API vulnerability Twitted was exploited to steal this data. It consists of both public and private numbers, as well as email addresses and phone numbers.

The Irish privacy regulator stated that the DPC had contacted Twitter International Unlimited Company (“TIC”) in connection to a notified data breach in which TIC claimed to have been the source of the datasets.

After reviewing the data provided by TIC, the DPC is of opinion that some or all of the provisions of GDPR and/or Act could have been and/or were infringed with respect to Twitter users’ personal information.”

The EU’s top watchdog for Twitter wants to see if Twitter is complying with its obligations as a controller concerning the processing of user data. Also, if Twitter infringed any Data Protection Act 2018 or General Data Protection Regulation (EU GDPR).

Two years ago, the privacy watchdog ($550,000), for not informing the DPC within 72 hours and failing to properly document the breach.

Meta also was penalized EUR265 Million (275.5 M) in November by the DPC for the massive leak of 2021 Facebook user data, exposing personal information of hundreds of millions of users around the world.

Threat actors were able to access the Facebook user data via a popular hacking site at that time.

Stolen Twitter data available for purchase since July

In July 2022, the went up for auction on a hacking site for $30,000

Although most of the data in this database was public, including Twitter IDs and login names and locations and verified statuses, it also included non-public information such as phone numbers and email addresses.

This data was collected using the . It used a Twitter API vulnerability to collect the information. Anyone could submit email addresses or phone numbers into the API in order to be linked to their Twitter ID.

BleepingComputer sent a screenshot of the user records stolen to Twitter. The company due to an attacker using an API vulnerability fixed in January 2022.

BleepingComputer discovered that Pompompurin (the owner of Breached hacking forums) exploited the bug. He also collected the information of nearly 7 million other suspended Twitter users via a different API.

The same database, which contained 5,485,635 Twitter users records, was shared on a hacking forum in September and November.

These records include a variety of user information, both public and private, such as personal email addresses and phone numbers as well as publicly scraped data like the Twitter ID and name, screenname, verified status and location URL, description and follower count.

Scraped Twitter data on sale (BleepingComputer)

Other users’ data was also taken

Chad Loder, security expert, shared on , information about an even bigger Twitter data dump that could contain millions of Twitter records. This includes personal phone numbers, verified status, account names and bios, as well as some other public information like screen name, Twitter ID and bio and Twitter ID.

Loder stated that he had just been notified of the massive Twitter data breach, which affected millions of accounts across Europe and America.

“I spoke to a few affected accounts, and they confirmed the accuracy of the data breached.” The breach took place no sooner than 2021.”

BleepingComputer confirmed that these phone numbers were valid and verified the additional data breach with many users.

The phone numbers included in this leaked data were not present in the data originally sold to the public in August 2002. This demonstrates the massive amount of Twitter data that was being traded among threat actors, and how significant Twitter’s data breach is compared with what we previously knew.

Info on larger Twitter data leak shared on Mastodon (BleepingComputer)

Also, we were told the database contained more than 17,000,000 records. However, this was not confirmed by us.

BleepingComputer reached out to Twitter regarding this extra data dump of user private information. We are still waiting for a reply.