Security News > 2022 > December > Massive Twitter data leak investigated by EU privacy watchdog
"The DPC corresponded with Twitter International Unlimited Company in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance," the Irish privacy regulator said on Friday.
Twitter's lead EU watchdog wants to determine if Twitter has complied with its obligation as a data controller regarding the processing of users' data and if it infringed any General Data Protection Regulation or Data Protection Act 2018 provisions.
All this data was collected in December 2021 using a Twitter API vulnerability disclosed via the HackerOne bug bounty program that enabled anyone to submit phone numbers or email addresses into the API to link them to their associated Twitter ID. After BleepingComputer shared a sample of the stolen user records with Twitter, the company confirmed they had suffered a data breach linked to attackers using an API bug fixed in January 2022.
Security expert Chad Loder also shared on Twitter and Mastodon details regarding an even larger Twitter data dump potentially containing millions of Twitter records with personal phone numbers collected using the now-fixed API bug and some public info like verified status, account names, Twitter ID, bio, and screen name.
"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US," Loder said.
None of the phone numbers in this more extensive leaked database were present in the original data sold in August 2002, showing the large amount of Twitter user data being exchanged among threat actors and just how much more significant Twitter's data breach was compared to what was previously known.