Information amassed on 5.4 million Twitter users by an attacker who abused a social network API is available online for free. Twitter has previously confirmed that breach and theft of information, but a researcher suggests that at least one additional attacker also abused the feature to steal account details pertaining to millions of other users.
A description of the dumped database says it includes the 5.4 million users’ usernames, display names, bios, locations, email addresses and phone numbers. The attacker amassed the data by exploiting APIs tied to the “let others find you by your phone” feature.
According to an analysis conducted by the Breached forum, which is hosting the stolen data, 681,184 of the email addresses, comprising 12% of dumped email addresses, don’t appear to have been previously leaked.
Twitter confirmed the breach in August, saying it had learned about the flaw in January via its bug bounty program and immediately fixed it.
Now, security researcher Chad Loder is warning that much more information appears to have been stolen by unknown attackers who also abused the feature.
