📡 Daan BergDec 24, 2022
BrianKrebs

A user on the cybercrime forum Breached is selling what they claim is info scraped via Twitter APIs from 400 million Twitter profiles, including email, name, account name, follower count and in many cases phone number. This was first brought to my attention by Alon Gal at Hudson Rock. https://www.linkedin.com/in/alon-gal-utb/

The seller told me they scraped the data using the same set of weaknesses in Birdsite APIs that allowed the scraping (and publishing) early this year of profile data on 5.4M Twitter users.

https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/

They said they scraped the data via an exploit that was patched earlier this year, in the login api, and specifically the part of it that checks for duplicate accounts.

That, according to the seller, leaked the Twitter user ID, which was then converted via another Twitter API into a username. They also said that same iterative process worked for user telephone numbers.

The vulnerability that was reportedly used to scrape the previously dumped 5.4M twitter user data set was reported to Hacker One on Jan. 1, 2022.

https://hackerone.com/reports/1439026

The seller released 1,000 new records as a teaser, and is trying to get Twitter to buy the data for an undisclosed amount.

They also pasted a number of "celebrity" accounts directly into the sales thread. Curiously, this record set does not have the phone number associated w/ my Twitter account. But it was in the 5.4M scrape that got released on the same forum last month. However, I removed the burner phone number from my profile around the time the seller said they scraped this data (beginning of 2022).

The data in both the teaser and the 1,000 user file includes follower counts for each user, and a spot check on about a half dozen of them show follower numbers consistent with what Archive.org and Sociable says about follower accounts at the beginning of Jan 2022/end of December.

They are selling it through the escrow service set up by the administrators of the forum, which is what you'd expect to see in a real offering for this volume of data.

Dec 24, 2022 at 4:13pmWeb
Show threadHacker FactorDec 24, 2022
@briankrebs Of all of the DJTJ uses hotmail? That's just sad.
Show threadBrianKrebsDec 24, 2022

@hackerfactor So tempted to post about this on Birdsite. But I'm not going to [begins chanting affirmations].

On second thought, since it pertains to the dumpster fire....

Show threadMarc Dec 24, 2022
@briankrebs 400M is basically every monthly active Twitter account...
Show threadDr. Jorge CaballeroDec 24, 2022
@briankrebs live feed from hardcore Twitter HQ
Show threadTofu GolemDec 24, 2022
@briankrebs
Everyone,
The fact that the site is owned by a Nazi should be enough reason to abandon the platform, but if that's not reason enough for you to leave, and if having a business model that makes them a threat to democracy isn't enough, then at least place some value on your own computer security for [bad word]'s sake.
Show threadChristian HuitemaDec 24, 2022
@briankrebs I wrote a toy Python program to do exactly that with the Mastodon public API. Works like a web spider: read a toot, learn about ID mentioned, read ID of toots sent in reply and boosts, explore toots and accounts. The Mastodon doc states that all data is public, and that's absolutely true!
Show threadMab10r Dec 25, 2022
@briankrebs this is so scary
Show threadShane MilburnDec 25, 2022
@briankrebs Good luck to them trying to get Twitter to buy the data. 🤔
Show threadtechcutie  Dec 25, 2022
@briankrebs another episode of "org realizes months after the fact that being pwned MIGHT be a bad thing after all"
Show threadtechcutie  Dec 25, 2022
@briankrebs birdsite & LastPass could start a self help group at this point
Show threadr3viloDec 25, 2022
@briankrebs Wait, what? "Lose trust in you as a company and thus stunt the current growth and hype that you are having...". Did I miss something? #twitter
Show threadEric DannewitzDec 26, 2022
@briankrebs
Great, so the next big wave from Twitter is coming next week??
Show threadDispatchesDec 27, 2022
@briankrebs
What happens when you sack the people who wrote the code that kept the hackers out. Wgat a great way to make very nasty enemies.
Show threadEn3pY - Sebastian ZdrojewskiDec 28, 2022

@briankrebs I've been seeing tweets on twt about accounts being exploited and 2FA via SMS being subject to sim-swapping attacks too.

Which makes me wonder: how do people react in front of a #databreach ? No password changes whatsoever, weak MFA adoption (if any).

Public figures work with #socialmedia platforms to make up for living, and they still are exposed widely to takeovers. Not to mention the platform, again, does NOT provide any kind of support to anyone who may found their account stolen because of a #breach.

Truth is - in my opinion - that the #cybersecurity fundamentals are rotten at their core.

Willingly.

Show threadCyburgerzDec 29, 2022
@briankrebs Any chance Twitter paid?
Hacker went complete silent..
Show threadunfa🇺🇦Feb 16, 2023
@briankrebs This is why I don't give my phone number to random website :D
Show threadDemonFeb 3, 2025
@briankrebs is this real cause it wont let me copy csv codw