Twitter account information on 200 million users, including Google CEO Sundar Pichai and Donald Trump Jr., is now available for free on a hacker forum, according to security researchers.
The researchers at Privacy Affairs, a group of experts in several countries, say the data comes from the same trove of information on 400 million Twitter users that was offered for sale on the dark web for US$200,000 in December.
This is not a new data leak, say the researchers, but the elimination of duplicate data from the cache put up for sale last month.
The data includes account name, handle, creation date, follower count, and email address. It also includes the accounts created by a number of organizations such as SpaceX, CBS Media and the National Basketball Association.
It doesn’t include passwords. Still, the researchers warn “the availability of the email addresses associated with the listed accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks. The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users.”
The hackers claim they got this data through scraping information collected by Twitter from its users. However, the researchers admit they aren’t sure how the data was obtained. The most likely method used could have been the abuse of an application programming interface (API) vulnerability.
Data scraping of Twitter isn’t new. All one has to do is a Google search of “Twitter scraping” to find tips and tools for doing it.
“The simple, structured format of Twitter and its various posting functions makes it relatively easy to navigate and scrape,” James Phoenix wrote last February for a site called Just Understanding Data. The Twitter API does allow users to read and write Twitter data, he added, noting, “Using the Twitter API instead of scraping Twitter data ensures compliance with Twitter’s terms of service, but it’s not as efficient or flexible as using scraping services.”
According to the Bleeping Computer news service, this new cache of data is not free, but costs a mere US$2.00.
Privacy Affairs says on the hacker forum where this data haul is being marketed, a user needs to purchase ‘credits’ to download leaks posted by forum users. The forum poster is offering the data for free; the forum, however, charges a credit (~$2) to initiate a download.
Bleeping Computer also notes that, since July 22, hackers have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums. These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID. The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.
Though Twitter fixed this flaw in January 2022, the news report says, threat actors have recently begun to leak the data sets they collected over a year ago for free.