From June 2021 to January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to send contact information such as email addresses and receive any Twitter account in return associated. Before it was patched, attackers used the flaw to “scrape” data from the social network. And while the bug didn’t allow hackers access to passwords or other sensitive information like DMs, it did expose the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers linked to them, potentially identifying users.
While it was active, the vulnerability was apparently exploited by multiple actors to create different collections of data. One that has been circulating on crime forums since the summer included the email addresses and phone numbers of about 5.4 million Twitter users. The huge hoard that just surfaced appears to contain only email addresses. However, the widespread dissemination of data creates the risk that it can fuel phishing attacks, identity theft attempts and other individual attacks.
Twitter did not respond to WIRED’s requests for comment. The company he wrote on the API vulnerability in an August disclosure: “When we became aware of it, we immediately investigated and fixed the issue. At the time, we had no evidence to suggest anyone took advantage of the vulnerability.” Apparently, Twitter’s telemetry wasn’t enough to detect malicious scraping.
Twitter is far from the first platform to expose data to mass scraping through an API flaw, and it is common in such scenarios that there is confusion about how many distinct data relics actually exist as a result of malicious exploitation. These incidents are still significant, however, because they add more connections and validations to the massive amount of stolen data that already exists in the criminal ecosystem about users.
“Obviously, there are more people who knew about this API vulnerability and more people who downloaded it. Did different people scrape different things? How many treasures are there? It kind of doesn’t matter,” says Troy Hunt, founder of breach-tracking site HaveIBeenPwned. Hunt ingested the Twitter dataset in HaveIBeenPwned and says it represented information on more than 200 million accounts. Ninety-eight percent of the addresses email had already been exposed in previous breaches recorded by HaveIBeenPwned, and Hunt says he has sent notification emails to nearly 1,064,000 of his service’s 4,400,000 million email subscribers.
“This is the first time I’ve ever sent a seven-figure email,” she says. “Nearly a quarter of my entire subscriber corpus is really significant. But since so much of that was already out there, I don’t think this is going to be an incident that has a long tail in terms of impact. But it could de-anonymize people. The thing that worries me the most are those people who wanted to keep their privacy.”
Twitter wrote in August that it shares this concern over the potential linking of users’ pseudonymous accounts to their real identities due to the API vulnerability.
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this has occurred,” the company wrote. “To keep your identity as veiled as possible, we recommend that you don’t add a publicly known phone number or email address to your Twitter account.”
For users who hadn’t already linked their Twitter accounts to the burner’s email accounts at the time of the scraping, however, the advice comes too late. In August, the social network said it was notifying potentially affected individuals of the situation. The company did not say whether it will make further notifications in light of the hundreds of millions of records exposed.
Irish Data Protection Commission She said last month it is investigating the incident that yielded the hoard of 5.4 million users’ email addresses and phone numbers. Twitter is currently under investigation by the US Federal Trade Commission into whether the company violated a “consent decree” that required Twitter to improve its privacy and user data protection measures.