This year in January 2023, a database containing the email addresses & names of over 200 million Twitter users was released on a hacker forum. However, this data does not appear to contain passwords or additional highly sensitive information.
This is just the latest in a series of similar leaks, all of which were obtained via a specific API vulnerability that was identified in late 2021.
Twitter has a long history of security issues and privacy violations. We’re here to tell you all about it.
Table of Contents
January 2023 – Twitter Data Breach
In December 2022, a trove of data on over 200 million Twitter users circulated among hackers. The data, which included email addresses, names, and usernames, was published on BreachForums on January 4th.
However, it is not clear if passwords or other highly sensitive data were included.
Twitter has not commented on a report that a user’s account was hacked and their tweets were altered. It’s unknown what action Twitter has taken to examine or remedy the issue. Reuters was not able to separately verify the data posted on the hacked forum was genuine.
This data appears to have come from Twitter. Some screenshots of the forum have circulated online.
Some people say that the number of email addresses and phone numbers that were stolen in this breach is 400 million. However, this information is still changing and we don’t know for sure how many email addresses and phone numbers were taken.
This data was collected from June 2021 to January 2022 by exploiting a vulnerability in an API. In the latter half of 2022, the vulnerability was found that be exploited by different people multiple times. This resulted in several Ransomware attempts and leaks.
In December, a hacker famous as Ryushi tried to ransom the data of a company for $200,000.
According to various reports, up to 400 million accounts were compromised in the attack. However, after removing duplicate accounts, the final figure appears to be closer to 210 million.
This includes data on high-profile accounts such as Donald Trump Jr, Alexandria Ocasio-Cortez, & Mark Cuban.
November 2022 – Twitter Data Breach
On the 24th of November, a hacker published data including email addresses and phone numbers of 5.4 million Twitter users on a hacker forum. This data was obtained by the hacker through a data breach.
This hacker exploited a vulnerability in an API in late 2021 to collect this data. They attempted to sell it for $30,000 in July 2022.
Around 5.4 million people had their personal information exposed in a data leak on Twitter. This affected a lot of other people too, as you can see from the list above.
The microblogging site has a vulnerability that allowed hackers to steal 5.4 million user accounts in the past. Recently, it was discovered that there are now several million more user accounts that are vulnerable to theft.
BleepingComputer reported on Monday that 5.4 million user records containing passwords, phone numbers, emails and more may have been just the tip of the iceberg for a much larger breach in company data.
This could be the result of a larger hack that has been ongoing for some time. The data was originally stolen from Twitter using a flaw in their platform’s API, but it has now been made publicly available.
HackerOne has found that it is possible to obtain the Twitter ID of a user by submitting their phone number or email address to the system. This information is available even if the user has disabled this option on their account.
August 2022 – Twitter Data Breach
Twitter has long been known for its lax security practices. On August 23, its former head of security, Peter “Mudge” Zatko, came forward with allegations that these practices were very inadequate.
In his 200-page complaint filed with the SEC on July 6, he outlined numerous serious deficiencies, negligence, and threats to national security and democracy.
Per Zatko’s account, Twitter’s leaders, including CEO Parag Agrawal, misled federal regulators and their own board of directors about the company’s security measures. This misled regulators and caused them to misjudge the company’s security posture.
He claims that the platform is vulnerable to foreign hacking, that hundreds of engineers have access to change Twitter’s algorithm in real-time, and that users’ requests to delete their data are not being followed through.
Zatko highlighted the high rate of security incidents on the platform: according to his description, the platform experiences one serious breach per week.
Twitter disputes claims made by Zatko, describing his account as a false narrative with inconsistencies and inaccuracies.
Twitter points out that Zatko’s account lacks important context, such as how his alleged concerns about privacy and data security are not shared by other Twitter users.
The company asserted that Zatko was fired in January 2022 for ineffective leadership and poor performance, while Zatko himself maintains that he was forced out after speaking up to Twitter’s board about security issues.
The company has failed to live up to its promises to protect its users’ data and privacy and has instead been deceptive in its advertising.
The social networking provider is now at risk of losing its FTC approval, which would mean that its users would be less protected from online scams and other dangers.
Twitter is in violation of an agreement it made with the FTC in 2011, which prohibited the company from deceiving its users about the security and privacy of their accounts.
Zatko’s allegations may cause the FTC and other government agencies to re-examine the company again. Senators Dick Durbin and Chuck Grassley, both ranking members of the Senate Judiciary Committee, have already said they will investigate the company.
Zatko also confirmed that Twitter lied to Elon Musk about bots on the platform. This could complicate an already tense official standoff, as Musk tries to back out of his deal to acquire the corporation.
August 2022: Twitter News
A person who used to work for Twitter has been found guilty of spying for a different country. This individual was found to have been using the social media platform to collect information on behalf of the Saudi government.
This verdict demonstrates the importance of vigilance when it comes to protecting our information, and it should serve as a warning to others who may be thinking of engaging in similar activities.
In August of 2022, a federal jury in California found a former Twitter employee guilty of acting as an unregistered agent of the Saudi government.
The employee had been recruited by the Saudi government to help promote their agenda on Twitter but had failed to disclose their affiliation when they started working for the company.
The jury found that Ahmad Abouammo had used his place on Twitter to examine Saudi dissidents and share information on them with Bader al-Asaker, an assistant to Saudi Crown Prince Mohammed bin Salman. Abouammo’s actions might have contributed to the repression of dissidents in Saudi Arabia.
Abouammo met Asaker in May 2014 at Twitter’s San Francisco headquarters. The two men met again in December 2014, when Asaker allegedly gave Abouammo a luxury watch and at least $20,000 in cash.
Soon after beginning to provide information on Saudi dissidents to Asaker, Abouammo received over $300,000 in payment.
Abouammo introduced the third person involved in the case, Ali Alzabarah, to Almutairi. Alzabarah is accused of helping to plan and carry out the attack.
Alzabarah is also accused of spying on Saudi dissidents for Asaker, but the jury did not find Abouammo criminally responsible for Alzabarah’s activities.
Almutairi testified that he had no idea who Alzabarah was until Abouammo introduced him to him. Alzabarah has been charged with spying on Saudi dissidents for Asaker, but the jury found Abouammo not criminally responsible for his activities.
The Saudi regime has used a variety of methods to spy on dissidents, including paying for information from Twitter and hacking friends and associates of Jamal Khashoggi.
One of the companies that supplied the Saudi regime with spyware is Israeli, and this software was used to hack Khashoggi’s friends and associates.
July 2022 – Twitter Data Breach
On July 21st, 2022, a hacker posted on BreachForums that they had obtained personal data on 5.4 million Twitter users, including email addresses and phone numbers. This data could be very damaging to these users, and we urge them to take action to protect them.
Twitter was hacked and private data was exposed for sale. The data was scraped from Twitter and is now for sale for a price above $30,000.
In January 2022, a white hat hacker identified a vulnerability on Twitter. The company immediately patched up the vulnerability, but on August 5, they acknowledged that it was a contributing factor in the July data breach.
The company is always working to keep its users safe, and in January 2022 they received a report of a vulnerability in their systems. Twitter is taking extra precautions to protect its users’ information.
If someone submits an email address or phone number to their systems, they will tell the person which Twitter account the address or number is associated with.
In June 2021, an update to the code of this bug caused it to become active. The bug was fixed as soon as the developers learned about it, but they had no way of knowing if anyone had taken advantage of the vulnerability before it was fixed.
In July 2022, we became aware of a potential security vulnerability that could have been exploited by someone seeking to sell sensitive information.
After reviewing a small sample of the data for sale, we found that the information was likely stolen and that a bad actor had taken advantage of the situation before it was resolved.
The social media giant has notified most of the user accounts that were affected by the data breach. However, they cannot confirm all of the accounts that were compromised in this incident.
July 2020 – Twitter Data Breach
In July 2020, one of the most widely covered Twitter security breaches occurred. This breach involved the exposure of the personal information of over 300,000 users.
This cyberattack involved targeting the accounts of 130 high-profile individuals, including Elon Musk, Bill Gates, Barack Obama, and Kanye West.
The hacker got access to a target account and started posting fake messages about how the account holder was giving back to their community by doubling all Bitcoin sent to their address and sending those funds back to the sender.
However, despite the widespread negative effects of Twitter on its users, US President Donald Trump remained unaffected.
Many people have been speculating about what kind of protection President Trump may have after his account on Twitter was deactivated by an employee on their last day of work in 2017.
Some believe that there may be some sort of safeguard in place, while others think that this could just be another conspiracy theory.
The New York Times confirmed that someone on Mr. Trump’s team had helped him protect his Twitter account from the attack. The Times sources say that this person used a feature that lets you hide your account from public view.
Back to the topic, the attackers accessed the accounts by using Twitter’s internal administration tools, which meant that the hacker was probably using the company’s own system. This allowed the attackers to access and steal over $100,000 in transfers.
Twitter released a blog post following the attack in which they described it as a social engineering attack in which the hacker obtained employee credentials by phone spear phishing tactics.
The attacker got employee credentials and used them to get access to more and more accounts until they took over high-profile accounts.
November 2019 – Twitter Data Breach
Hundreds of Twitter users learned in November 2019 that their personal data had been exposed. The incident was small-scale, but it raised concerns among users about the security of their information.
Twitter notified the companies that their personal information may have been accessed by third-party researchers.
The researchers found that a development kit named One Audience gave outside developers access to this information, including the username and email addresses of Twitter users.
The One Audience development kit made it easy for developers to access usernames and email addresses.
If you used your Twitter account to log into an app that was impacted by the recent data breach, the developer might have seen a limited amount of personal information (such as your name and some recent tweets) from you.
When someone logged into these apps with their Twitter account, their most recent tweets were also available. CNBC said users of photo editing apps like Giant Square and Photofy could be affected.
The problem was limited to a few hundred people and affected both Twitter and Facebook accounts.
Twitter and Google both notified the people who were affected by the issue. Google is also responsible for taking action if necessary if the issue affects its services.
November 2019: Twitter News
In November 2019 Two former Twitter employees were charged with spying for Saudi Arabia by snooping into thousands of private accounts in order to gather information about critics of the Riyadh government.
The court documents filed Wednesday in San Francisco reveal that the employees were looking for personal information about the individuals, including their Twitter handles and other contact information.
The case is the first time that federal prosecutors have charged Saudis with deploying agents inside the United States. The agents were believed to be working on behalf of the Saudi government to carry out espionage and other activities.
Ahmad Abouammo was employed by Twitter as a media partnerships manager. He was not authorized to access Twitter users’ private information.
He is accused of receiving payments of up to $300,000 from a Saudi source from whom he received a Hublot watch with a value of about $20,000.
Abouammo is charged with being an agent of a foreign government and falsifying records to obstruct an investigation.
Ali Alzabarah worked as a site reliability engineer at the Twitter beginning in August 2013. Alzabarah illegally accessed the Twitter data of over 6,000 Twitter users, including at least 33 usernames for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter.
Among the accounts he accessed were those belonging to people who have publicly criticized the Saudi government.
Alzabarah quit his job at Twitter after his superiors confronted him about looking at company data. He flew back to Saudi Arabia on December 3, 2015, and sent an email of resignation the next day.
The third man has been charged with spying in connection with their alleged work for the Saudi royal family. Ahmed Almutairi, aka Ahmed Aljbreen, is a Saudi citizen described in the complaint as a principal in a social media marketing company.
He is also charged with spying. The other two men, both American citizens, are also charged with spying.
According to the complaint, he is believed to be in Saudi Arabia working as an intermediary between Saudi officials and former Twitter employees, working with Al-Zabala on a social media project “for the benefit of the Kingdom of Saudi Arabia.”
Twitter said that it knows that some people will try to undermine its service and that it only allows a few people to have access to sensitive account information.
October 2019 – Twitter Data Breach
In October 2019, it was revealed that Twitter had been sharing some of its users’ phone numbers and other data for two-factor authentication with other companies. This caused a privacy issue for some of these users.
The company says that it mistakenly included contact information for two-factor authentication, namely phone numbers and email addresses, in its advertising systems.
The social media giant said that it accidentally ingested phone numbers and email addresses collected for security measures like two-factor into two of its advertising systems, called Tailored Audiences and Partner Audiences.
The company is working to delete the information and apologize to the individuals who were affected.
The company shared some of the information it gathered with marketers, but didn’t give them the whole list. This allowed the marketers to target ads to specific Twitter users.
Twitter stopped sharing user data with a third-party analytics company on September 17, three weeks before they came forward about the issue. It is not sure how long the improper sharing of private user data had been going on before they found out and they don’t know how many people were affected.
The company said they don’t have any more information about what caused the mix-up. Facebook recently admitted that it also used phone numbers that people shared with them to help them set up 2FA on their accounts.
The Federal Trade Commission (FTC) fined Facebook a record $5 billion in July after finding that the social media company had mishandled user data numerous times. This massive penalty is the largest ever levied by the FTC and signals the importance of protecting user data.
Twitter has had privacy issues in the past. For example, in May 2018, the company announced that it had stored some user passwords unprotected in plaintext in an internal logging system.
This is a serious privacy violation, and Twitter needs to take steps to make sure this doesn’t happen again. The incident fortunately did not lead to a data breach, but it was a major mistake in handling a crucial piece of user data.
Mistakes happen, but when it comes to the misuse of user information for security purposes, it’s especially clear that companies aren’t prioritizing user privacy and security first.
This suggests that it would be easy for a large tech company to control and protect a limited, well-defined, and unambiguous data set.
The company took quick action to address the data leak in September 2019, and it’s not yet clear how widespread the problem was. However, we do know that the issue lasted for a short period of time.
December 2018 – Twitter Data Breach
Reports emerged in December 2018 alleging that a security flaw had exposed the phone numbers and country codes of Twitter users. This vulnerability could have allowed malicious individuals access to these personal details, potentially posing a risk to their safety.
This could have allowed bad people to find out which countries’ accounts the websites belonged to, which could make it harder for people who are protesting or who are trying to do something shady.
Twitter has inadvertently exposed the ability to pull a user’s phone number and country code, which could be used to determine which countries the user is in.
This security flaw could be used by malicious actors to figure out which dissidents or whistleblowers are using Twitter, potentially having dangerous consequences.
Twitter is suggesting that some of the inquiries made through their support form may have been from IP addresses located in China and Saudi Arabia, and they are requesting more information to help identify why this is the case.
Attribution in these situations can be difficult, and naming specific countries or suggesting state actors could be involved carries heavy implications.
This problem started when we received a support form that could have given others access to a customer’s country code. There is currently no way to know how many times the security flaw was exploited to gain information on other users.
Reports indicate that a security researcher notified Twitter about a problem two years prior. This problem was not announced publicly until December 2018.
Twitter closed a report of a possible security risk without taking any action. However, after looking into the matter, the company determined that the risk wasn’t significant.
May 2018 – Twitter Data Breach
Twitter warned all of its users in May 2018 to change their passwords after discovering a bug that left their 330 million passwords unprotected in an internal system.
While there was no evidence that anyone had actually accessed the passwords, they were unencrypted, meaning anyone who accessed that system could see them.
The bug left passwords exposed in an internal log, meaning that they were displayed in plaintext.
Following the announcement that a user’s account may have been accessed without their permission, the company is urging all users to change their password out of an abundance of caution.
While there is no evidence that any sensitive information was taken, the company is taking this precaution to ensure the safety of its users. The company assures us that it has taken measures to prevent this from happening again.
February 2013 – Twitter Data Breach
Twitter announced a security incident that potentially impacted around 250,000 users in February 2013.
The company said that attackers were able to access account information, specifically user names and email addresses. This information could be used to sign in to accounts and potentially damage them.
Twitter has reset passwords and revoked session tokens for all of these accounts, meaning that users will not be able to log in and will receive an e-mail instructing them to reset their password. The reason for this is a recent Java vulnerability.
The Department of Homeland Security has warned users about the issue and suggested they disable Java in their browsers unless it is absolutely necessary.
Twitter became aware of an issue a week prior to the announcement and a more detailed investigation led to the company becoming aware of a larger breach, namely unauthorized access attempts.
Twitter didn’t give a lot of detail about the attack, only mentioning Java vulnerability. At the time, it wasn’t clear who was behind it.
April 2009 – Twitter Data Breach
In April 2009, someone guessed the password to an administrative account on Twitter. This account was used by an employee to manage their Twitter account. The hacker found two other passwords that were stored on this employee’s personal email account.
A hacker reset at least one Twitter user’s password, potentially allowing them access to nonpublic user information and tweets for any Twitter users.
When someone gets hacked, they can change the password to one of their online accounts. This could include a Twitter account, for example. If the hacker had access to the account’s nonpublic information, they would also be able to see things like private messages and other sensitive information.
Twitter has agreed to a 20-year ban from misleading consumers about its security, privacy, and confidentiality measures. This will ensure that consumers know the truth about how well Twitter protects their nonpublic information.
The consent agreement is a settlement tool, and the respondent does not admit to any law violations.
Once the Commission issues a consent order on a final basis, that order has legal force with respect to future actions. Each violation of that order may result in a civil penalty of up to $16,000.
January 2009 – Twitter Data Breach
In January 2009, an unauthorized person accessed the Twitter administrative control panel using an automated password-guessing tool. The password used was considered weak, being an all-lower-case word you can find in a dictionary.
A hacker who has a history of pranking celebrities has admitted to hijacking multiple high-profile Twitter accounts, including President-Elect Barack Obama’s and the official feed for Fox News. The hacker is said to have been motivated by boredom and the desire to cause mischief.
The hacker, GMZ, told Threat Level that he gained access to Twitter’s administrative control panel by pointing an automated tool at the website. Once inside, GMZ was able to access Twitter’s servers and user accounts.
Since Twitter allowed users to make an unlimited number of password attempts and didn’t flag a high number of attempts happening in quick succession, the hacker was able to gain entry. The hacker would change the passwords of various accounts, granting other people access.
A total of 33 accounts were compromised, and many of them were used to post messages not written by the account owner.
After the two incidents in 2009, the FTC filed charges against Twitter. However, Twitter reached a settlement with the FTC in November of that year.
