Twitter admits 2022 data leaks exploit same vulnerability — how to stay safe

Twitter Blue
(Image credit: @TwitterBlue)

Twitter today confirmed that the user data breach that leaked millions of users' profiles, such as emails and phone numbers, in November used the same vulnerability in July 2022's leak.

In a security update from Twitter, the post details the previous July 2022 data breach along with the recent November 2022 leak of users' data. Twitter’s Incident Response Team compared the data reported by the media on July 21, 2022, with the November breach, and came to the conclusion that "the comparison determined that the exposed data was the same in both cases."

As Twitter confirmed in August 2022, a Twitter vulnerability led to a hacker obtaining account data of 5.4 million users, and the stolen information, which claimed to include email and phone numbers, went up for sale for at least $30,000. Twitter acknowledged this bug as a "valid security issue" back in January 2022, awarding user zhirinovskiy with a $5,040 bounty for discovering it, and has since been patched.

Post of Twitter Hacker selling data (via Restore Privacy) (Image credit: Restore Privacy)

However, the threat actor, known as "devil," apparently used this exploit to sell millions of users' data, which is said to "range from Celebrities, to Companies, randoms, OGs, etc."

As reported by BleepingComputer, In November 2022, another hacker released a JSON file that contained the 5.4 million records. However, another researcher spotted a new set of Twitter profiles that were scrapped using the same vulnerability, which wasn't the same as the 5.4 million in July 2022. Apparently, the data set contained 17 million user profiles.

"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online," Twitter's security update states. "As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases."

The cybersecurity news site sampled a data set containing 1.4 million accounts and even contacted Twitter users to confirm if the leaked phone numbers were valid. Unfortunately, there are. This means the exploit spotted in January 2022 is still seeing its effects, and Twitter hasn't confirmed the number of exposed users from the breach. 

Start using two-factor authentication

In the security update, Twitter states that while no passwords were exposed in the data leak, it's a good idea to turn on two-factor authentication or hardware security keys to protect their accounts. It also recommends being aware of suspicious emails, as the exposed information on users could lead to nasty phishing campaigns.

You can check out the best authenticator apps to stay secure and to make sure your passwords are locked up, the best password managers can help you out. Speaking of emails, there are invisible images that let companies spy on your email — here’s how to stop them

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.