top of page

Twitter Breach: One Vulnerability, Millions of Profiles Leaked

Updated: Nov 14

sekurno blog Twitter Breach: One Vulnerability, Millions of Profiles Leaked

Twitter Leak Scope

Twitter said that the November 2022 leak of private phone numbers and email addresses resulted from the data breach the company disclosed in August 2022. This autumn's leak included millions of profiles which, upon analysis, were linked to a breach caused by the vulnerability fixed in January 2022.

"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online. As soon as we became aware of the news, Twitter's Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases." - said Twitter.

Twitter Leak: API Vulnerability

In January 2022, Twitter's bug bounty program helped identify an API vulnerability that allows linking email addresses or phone numbers with Twitter ID for a registered account. Unfortunately, a threat actor leveraged this vulnerability to create a database of 5,4 million user profiles with public and non-public data before Twitter could identify and remediate the problem.


This summer, the scraped data was spotted on some hacker forums, available for selling at $30000. Later, a JSON file was spotted with the same data available. Still worse, new data sets were leaked by the threat actor to suggest that the breach was far more extensive: potentially up to 17 million records. However, Twitter has yet to reveal how many users were exposed. So far, it encourages users to enable two-factor authentication or special apps to protect their accounts and keep an eye on phishing emails.


We will not focus on the negative reputational impact this leaking saga continues to have on an already battered Twitter. Instead, think over just one bare fact: a single vulnerability was not discovered and led to a huge leak.


Avoiding Such Leaks: S-SDLC

This, in turn, brings us to the point of a Secure Software Development Lifecycle, or SDLC. S-SDLC includes such stages as planning, designing, building, release, maintaining, etc, and making it secure (#SSDLC) requires incorporating security into each of the stages. For all major tech companies offering services based on web, mobile applications, or cloud solutions, keeping to the SSDLC principles is paramount.


We are confident that Twitter keeps to these principles (well, at least used to, considering recent bulk reductions in the company). On the other hand, the vulnerability of this type, most probably, could have been discovered with whitebox pentesting, which doubts the viability of reductions even more. Let’s hope they do not involve the cybersecurity team.


Only some companies can afford cybersecurity personnel to augment software teams. In such a case, the best option would be to engage a cybersecurity partner with relevant expertise in API pentesting, such as Sekurno.


Related articles

Do you know all risks in your application?

Get a free threat modeling from our experts!

Got it! We'll process your request and get back to you.

bottom of page