The owner of hacking forum called Breached told BleepingComputer that it was responsible for exploiting the weakness (originally obtained from another hacker called "Devil") and dumping the user records. It said that it also obtained 1.4 million Twitter profiles for suspended accounts, obtained via another API, but only shared those privately among a few individuals.
On top of all that, security expert Chad Loder has revealed that tens of millions more Twitter records may have been collected using the same API. Once again, data collected may include private phone numbers along with public information. Loder posted a redacted sample on Mastodon, as he was banned on Twitter several days ago for unknown reasons. It could contain over 17 million records, BleepingComputer was told.
The breaches leaked users' private phone numbers and email addresses, which could be used for phishing and other scams. That information could also be exploited to uncover identities from private Twitter accounts. As usual, be very wary of any suspicious emails or texts claiming to come from Twitter — and if you're thinking about using two-factor authentication, now would be a good time.
