The stolen data consists of scraped public information (such as Twitter IDs, names, login names, locations, and verified status) as well as private phone numbers and email addresses that are not meant to be visible publicly. Pompompurin, the owner of the Breached hacking forum, told BleepingComputer this weekend that they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as 'Devil' shared the vulnerability with them. In addition to the 5.4 million records for sale, there were additionally 1.4 million Twitter profiles of suspended users collected (using a different API), bringing the total to almost 7 million Twitter profiles containing private information.
In September, and now more recently, on November 24th, the 5.4 million Twitter records have now been shared for free on a hacking forum. Pompompurin has confirmed to BleepingComputer that this is the same data that was for sale in August, and includes 5,485,635 Twitter user records. These records contain either a private email address or phone number, and public scraped data, including the account's Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.
This data was collected in December 2021 using a Twitter API vulnerability disclosed in the HackerOne bug bounty program that allowed people to submit phone numbers and email addresses into the API to retrieve the associated Twitter ID. Using this ID, the threat actors could then scrape public information about the account to create a user record containing both private and public information. Threat actors released the 5.4 million records for free, but, even more concerning, a larger data dump was allegedly created using the same vulnerability. This data dump potentially contains tens of millions of Twitter records. Pompompurin also confirmed with BleepingComputer that they were not responsible and did not know who created this newly discovered data dump, indicating that other people were using this API vulnerability.
This data could be used for targeted phishing attacks to gain access to login credentials, so it is essential to pay attention to all emails that claim to come from Twitter. Imagine that you receive an email claiming your account was suspended. In that case, there are log-in issues, or you are about to lose your verified status, and it prompts you to login (on a non-Twitter domain.) Ignore the emails, and delete them as they are likely phishing attempts.