Anatomy of a Breach

Anatomy of a Breach: Twitter — 5.4 Million Users' Phone Numbers Exposed Through an API Vulnerability

> series: anatomy_of_a_breach —— part: 163 —— target: twitter —— records: 5,400,000 —— method: api_enumeration —— pattern: identical_to_facebook_linkedin<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2022 11 min read
twitter api-vulnerability scraping 5-4-million phone-numbers bug-bounty series
Breach #163

5.4 million users' phone numbers. Through an API. The same pattern. Again.

In July 2022, data scraped from Twitter through an API vulnerability was confirmed to be circulating on hacking forums. The vulnerability — in Twitter's API endpoint that allows users to find accounts by phone number or email address — had been reported through Twitter's bug bounty programme in January 2022 and patched. But before the fix was applied, at least one attacker had exploited the vulnerability to scrape the personal data of approximately 5.4 million accounts, including phone numbers and email addresses linked to Twitter handles.

The pattern was identical to the Facebook 533M leak (2021) and a concurrent LinkedIn scraping incident: an API endpoint designed for legitimate user-lookup functionality was abused for bulk enumeration of user data. A larger dataset — reportedly containing the email addresses of approximately 200 million Twitter users — subsequently surfaced, suggesting broader exploitation. The Twitter API breach joined an ever-growing list of API scraping incidents documented throughout this series — from AT&T iPad (2010) through Moonpig (2015) to Cambridge Analytica (2018).

API Scraping — The Persistent Problem
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

AT&T 2010. Facebook 2021. Twitter 2022. The same vulnerability class. Thirteen years later.

User Lookup APIs Are Scraping Targets
Every platform that offers 'find friends by phone number' or 'search by email' functionality creates an API endpoint that can be abused for bulk enumeration. Rate limiting, anomaly detection, and limiting the data returned by lookup APIs are essential defences. Our <a href="/penetration-testing/api">API penetration testing</a> assesses enumeration and scraping defences.
Phone Numbers Enable Further Attacks
As documented in the <a href="/blog/anatomy-of-a-breach-facebook-533m-leak">Facebook 533M</a> analysis, exposed phone numbers enable SIM-swapping, vishing, and SMS phishing. <a href="/cyber-essentials">Cyber Essentials Danzell</a> recommends authenticator-based MFA over SMS-based MFA for this reason.
Bug Bounty Reported — But Exploited First
The vulnerability was reported through Twitter's bug bounty programme — but attackers had already exploited it before the fix was applied. This 'race condition' between responsible disclosure and malicious exploitation is inherent to bug bounty programmes. <a href="/vulnerability-scanning">Continuous vulnerability scanning</a> identifies exploitable API endpoints proactively.
Industry-Wide Pattern
Facebook, LinkedIn, Twitter — the three largest social media platforms all suffered API scraping breaches within two years. The pattern is systemic: any platform that offers user-lookup functionality must assume it will be abused. Our <a href="/penetration-testing/api">API testing</a> assesses this attack surface.
Lessons

API scraping is a permanent threat. Test your APIs for it.

The Twitter scraping breach reinforced that API enumeration and scraping — documented in this series since 2010 — remain persistent, industry-wide vulnerabilities that affect the world's largest platforms. For UK organisations with user-facing APIs, API penetration testing must specifically assess enumeration, rate limiting, and bulk scraping defences. Cyber Essentials mandates access controls. SOC in a Box monitors for API abuse patterns. And UK Cyber Defence provides incident response when API abuse is detected.

API Scraping Defence

Facebook. LinkedIn. Twitter. All scraped through APIs. Are your APIs tested for enumeration and bulk scraping?

Our <a href="/penetration-testing/api">API testing</a> assesses enumeration and scraping defences. <a href="/cyber-essentials">Cyber Essentials</a> mandates access controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for API abuse.

Commission an API Assessment Next: NHS Advanced + LastPass
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2021

Anatomy of a Breach: Facebook — 533 Million Phone Numbers and Personal Data Posted Free Online

Breach #148. In April 2021, the personal data of approximately 533 million Facebook users from 106 countries was posted for free on a hacking forum. The data — originally scraped from Facebook in 2019 through an API vulnerability — included phone numbers, full names, locations, email addresses, and biographical information. Unlike previous Facebook incidents where data was sold on dark web marketplaces, the 533 million records were posted publicly and for free — making them accessible to anyone. The UK's share was approximately 11 million records. The leak demonstrated that scraped data, once collected, eventually becomes public — and that 'scraping is not a breach' is a distinction without a difference to the 533 million people whose data was exposed.

facebook 533-million
12 min read
Anatomy of a Breach 31 January 2014

Anatomy of a Breach: Snapchat — 4.6 Million Usernames Scraped After Warnings Were Ignored

Breach #061. On 1 January 2014, hackers published the usernames and phone numbers of 4.6 million Snapchat users after exploiting an API vulnerability that security researchers had warned the company about months earlier. Snapchat had dismissed the warnings, calling the vulnerability 'theoretical.' The breach demonstrated that ignoring responsible disclosure carries real consequences — and that API security vulnerabilities identified by researchers will eventually be exploited by attackers.

data-breach snapchat
11 min read
Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
All Posts Get in Touch