Twitter previously confirmed that the personal data of 5.4 million users had been stolen due to an API vulnerability, but the company said it had no evidence that it had been used. Currently, all these accounts have been exposed by hackers, according to BleepingComputer. In addition, an additional 1.4 million Twitter profiles of “suspended” users were made private, and an even larger data dump containing the information of “tens of millions” of other users may have resulted from this vulnerability.

Last July, an attacker began selling the personal information of more than 5.4 million Twitter users on a hacking forum for $30,000. While most of the data consisted of public information such as Twitter IDs, names, logins, locations and verified status, it also included personal information such as phone numbers and email addresses.

The owner of the hacking forum Breached said he was responsible for exploiting the vulnerability (originally obtained from another hacker named Devil) and deleting user posts. He also revealed that he obtained data from 1.4 million temporarily blocked Twitter profiles through another API, but shared it privately with only a few people.

In addition, security expert Chad Loder discovered that tens of millions more Twitter accounts could have been exposed using the same API. Again, the data retrieved may contain private phone numbers along with publicly available information. Loder posted an edited sample dump on Mastodon because he was banned from Twitter a few days ago for unknown reasons (after the post was published). BleepingComputer reports that the leak may have affected more than 17 million accounts.

Users’ personal phone numbers and email addresses could be used for phishing and other scams. This information can also be used to reveal the identity of private Twitter accounts. Be wary of any suspicious emails or messages purporting to come from Twitter, and if you’re not already using two-factor authentication, now is the time.

Source: Engadget, BleepingComputer