The Irish Data Protection Commission (DPC) has launched an inquiry regarding a massive Twitter data leak following last month’s news reports that non-public information belonging to over 5.4 million Twitter user records has been leaked on a hacking forum.
This data was stolen by exploiting an API vulnerability Twitted fixed in January and consists of scraped public info as well as private phone numbers and email addresses.
“The DPC corresponded with Twitter International Unlimited Company (‘TIC’) in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance,” the Irish privacy regulator said on Friday.
“The DPC, having considered the information provided by TIC regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data.”
Twitter’s lead EU watchdog wants to determine if Twitter has complied with its obligation as a data controller regarding the processing of users’ data and if it infringed any General Data Protection Regulation (EU GDPR) or Data Protection Act 2018 provisions.
The privacy watchdog fined Twitter €450,000 (~$550,000) two years ago for failing to notify the DPC of a breach within the 72-hour timeframe imposed by the GDPR and to adequately document it.
Meta was also fined €265 million ($275.5 million) by the DPC in November for a massive 2021 Facebook data leak exposing the personal info of hundreds of million users worldwide.
The Facebook user data was also shared on a well-known hacking forum at the time, allowing threat actors to use it in targeted attacks.
Stolen Twitter user data up for sale since July
The private information of over 5.4 million Twitter users was put up for sale on a hacking forum for $30,000 in July 2022.
Even though most of this data was public information, like Twitter IDs, names, login names, locations, and verified status, the leaked database also contained users’ non-public information, such as email addresses and phone numbers.
All this data was collected in December 2021 using a Twitter API vulnerability disclosed via the HackerOne bug bounty program that enabled anyone to submit phone numbers or email addresses into the API to link them to their associated Twitter ID.
After BleepingComputer shared a sample of the stolen user records with Twitter, the company confirmed they had suffered a data breach linked to attackers using an API bug fixed in January 2022.
BleepingComputer found that the bug was exploited by Pompompurin, the owner of the Breached hacking forum, who also harvested the info of 1.4 million additional suspended Twitter users using a different API, which brought the total to almost 7 million Twitter profiles scraped for private information.
During September and November, the same database containing 5,485,635 Twitter user records was also shared for free on a hacking forum.
The records contain a throve of public and private user data, including personal email addresses or phone numbers, as well as public scraped data, including the Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.
Data belonging to tens of millions of other users also stolen
Security expert Chad Loder also shared on Twitter and Mastodon details regarding an even larger Twitter data dump potentially containing millions of Twitter records with personal phone numbers collected using the now-fixed API bug and some public info like verified status, account names, Twitter ID, bio, and screen name.
“I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US,” Loder said.
“I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021.”
BleepingComputer has since confirmed with numerous users affected by this second Twitter leak that the phone numbers are valid, verifying this additional data breach is also real.
None of the phone numbers in this more extensive leaked database were present in the original data sold in August 2002, showing the large amount of Twitter user data being exchanged among threat actors and just how much more significant Twitter’s data breach was compared to what was previously known.
We were also told that the second leaked database contains more than 17 million records, but we couldn’t independently confirm this information.
While BleepingComputer has reached out to Twitter about this additional data dump of private user information, we are still waiting to receive a response.