A possible, previously undisclosed Twitter breach was reported last week by security researcher and citizen journalist Chad Loder.
Loder initially shared details of the breach, which they called "massive," on Twitter in a Nov. 23 thread. Loder, who founded security awareness training provider Habitu8, wrote that the alleged breach affects millions of users in Europe and the United States who have phone discovery settings enabled.
Loder's thread is not currently available, as their Twitter account is suspended. An archive of the thread is available on the Internet Archive's Wayback Machine.
"From what I have confirmed, the breached Twitter data covers, at a minimum, the full phone number spaces for multiple country codes in the EU, and some area code in the U.S.," Loder wrote. "The dataset includes verified accounts, celebrities, prominent politicians, and government agencies."
For example, "All accounts for the entire country code of France" are listed as part of the leaked data set.
Loder did not say exactly how they obtained evidence of a breach other than that they "received" it. In a separate thread on decentralized social media platform Mastodon, they said the data was from late 2021 and that the set included phone numbers, Twitter verification status, account names and bios for tens of millions to "perhaps over 100 [million]" users. Loder also provided a blurred screenshot of the alleged data set.
TechTarget Editorial contacted Loder for comment via Mastodon, but had not received a response at press time.
TechTarget Editorial also contacted Twitter in order to verify the potential breach and ask why Loder was banned. Twitter did not respond.
According to Loder, this data set is not part of the breach Twitter disclosed in August. That breach originated from a vulnerability discovered in January 2022, which according to Twitter was fixed shortly after. The August disclosure followed reports that a threat actor was attempting to sell data stolen via the vulnerability in July.
UPDATE 12/12: Twitter published a blog post Friday in an apparent response to Loder's report.
"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online. As soon as we became aware of the news, Twitter's Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases."
Bleeping Computer reported Sunday that 5.4 million user records from this earlier breach were recently shared for free on a hacking forum. Bleeping Computer also reported that it received a sample file from the breach Loder reported and confirmed that the phone numbers were real.
The potential breach is not connected to Elon Musk's acquisition of Twitter in late October, which has resulted in huge layoffs as well as resignations. However, like the acquisition, the data set could mark the latest major security issue for the social media giant this year. Former CISO Lea Kissner departed the company on Nov. 10, along with other privacy- and compliance-focused executives, and disruptions with Twitter's SMS two-factor authentication service came to light several days later.
In addition, former Twitter head of security Peiter "Mudge" Zatko blew the whistle on Twitter's cybersecurity operation over the summer. Zatko accused Twitter, which is currently under a Federal Trade Commission settlement for a 2009 data breach, of improperly storing user data and giving large numbers of employees access to sensitive user data repositories.
Alexander Culafi is a writer, journalist and podcaster based in Boston.