Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022.
"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online," reads the update.
"As soon as we became aware of the news, Twitter's Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases." - Twitter.
In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed email addresses or phone numbers and get an associated Twitter ID for a registered account.
By the time Twitter remediated the problem, a threat actor used the API vulnerability to input millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.
This scraped data was then put up for sale on a hacker forum in July 2022 for $30,000, with two people allegedly buying it for under the original asking price.
In September 2022 and November 2022, a threat actor released a JSON file containing the complete set of 5.4 million records scraped in 2021, which privately circulated among a small number of threat actors until then.
Around the same time, a researcher also shared samples of an additional set of Twitter profiles scraped using the vulnerability that was not included in the original 5.4 million user breach. This data set is allegedly far more extensive, reportedly containing 17 million records collected using the same API flaw.