Exposed Twitter/X Credential-Stuffing Botnet Reveals Full Infrastructure and Operations Security researchers at GHOST uncovered an unsecured credential-stuffing botnet targeting Twitter/X, exposing its entire command-and-control (C2) infrastructure, worker fleet, and operational details. The botnet’s control panel a Python Flask-based dashboard branded "Twitter Checker Master Panel – FULL FIX v2.3" was left completely unauthenticated, allowing unrestricted access to its management functions. The C2 server, hosted on a Windows Server 2019 instance by Hetzner in Falkenstein, Germany, had multiple services (RDP, SMB, WinRM) exposed alongside the Flask panel. No authentication mechanisms were in place, enabling direct access to all endpoints via HTTP on port 5000. Researchers obtained the full 98 KB source code, confirming the absence of security controls and revealing hardcoded API routes for server management, campaign execution, and data exfiltration. The botnet’s worker fleet consisted of 18 Linux servers in the 31.58.245.0/24 range, owned by Turkish provider Komuta Savunma Yuksek Teknoloji in Ankara. All workers were accessible via root SSH on port 22, with credentials following a predictable pattern: a 12-character lowercase hexadecimal string followed by "kmt.!" likely referencing the hosting provider. The servers were labeled in Turkish (e.g., "Sunucu 8"), suggesting a previous generation of at least seven decommissioned nodes. During a 12-minute observation on April 10, 2026, the botnet tested 722,763 Twitter/X credential pairs, adding 18 newly compromised accounts to its hit list. Lifetime statistics revealed 4.86 million accounts checked, with 138 successful takeovers a 0.0028% success rate. Notably, 85.6% of tested accounts triggered two-factor authentication (2FA) and were discarded, demonstrating 2FA’s effectiveness in blocking such attacks. Only 211,662 accounts had valid passwords without 2FA, with just 138 fully compromised. Attribution indicators point to a Turkish-speaking operator, given the UI’s Turkish language labels (e.g., "Sunucu Ekle" for "Add Server") and the use of Komuta Savunma’s infrastructure. The botnet’s deployment occurred in waves between December 25, 2025, and January 31, 2026, with a tool rollout in late February. Despite its scale, the operation remained undetected on major threat feeds, including VirusTotal, ThreatFox, and AbuseIPDB, highlighting how credential-stuffing campaigns can persist on general-purpose cloud hosts. The exposed infrastructure including plaintext root passwords, bulk control endpoints, and real-time telemetry provided a rare, unfiltered view into the mechanics of a large-scale automated attack.

A massive breach involving an ex-employee leaked detailed user profile data from roughly 2.87 billion Twitter accounts, combining new and previously exposed information. The dataset includes user metadata like IDs, screen names, follower counts, and tweets, increasing risks of phishing and impersonation. Although no sensitive information such as email addresses was found in the new data, the merge with past breaches presents a comprehensive user profile view. Twitter has not acknowledged the breach, which stands as the second-largest in history.

Twitter/X (now rebranded as X) suffered a massive distributed denial-of-service (DDoS) attack on March 10, 2025, orchestrated by the Rapper Bot botnet, operated by Ethan J. Foltz and an unidentified co-conspirator. The attack, exceeding two terabits per second, caused intermittent global outages, disrupting services for millions of users. The botnet, comprising tens of thousands of hacked IoT devices, overwhelmed Twitter/X’s infrastructure, leading to downtime, financial losses from mitigation efforts (estimated between $500–$10,000 per attack at scale), and reputational damage. While no data breach occurred, the attack demonstrated the platform’s vulnerability to extortion-driven cybercrime, as Rapper Bot was primarily rented to online extortionists targeting gambling operations and businesses. The incident also highlighted the broader threat of DDoS-for-hire services, which exploit weak IoT security to cripple high-profile targets. Twitter/X’s outage, though temporary, underscored the operational and financial risks posed by large-scale DDoS attacks, particularly when leveraged for criminal extortion schemes.

The "Mother of All Breaches": 26 Billion Records Exposed in Unprecedented Data Leak Security researchers have uncovered what may be the largest compilation of stolen credentials in history a 12-terabyte database dubbed the "Mother of All Breaches" (MOAB), containing 26 billion records from thousands of prior data leaks. Discovered by researcher Bob Dyachenko of SecurityDiscovery.com in collaboration with Cybernews, the dataset was found on an open, publicly accessible server, though its owner remains unknown. Unlike a single hack, the MOAB is a "compilation of breaches" (COB), aggregating credentials from major platforms, including: - 1.5 billion records from Tencent - 504 million from Weibo - 360 million from MySpace - 281 million from Twitter (X) - Millions more from LinkedIn, Adobe, Canva, Deezer, AdultFriendFinder, and others The dataset also includes records from government organizations in the U.S., Brazil, Germany, the Philippines, and Turkey, amplifying risks for both individuals and enterprises. ### Why This Breach Is a Game-Changer The MOAB’s danger lies in its consolidation and accessibility. Instead of scattered leaks, attackers now have a single, searchable repository for credential stuffing, phishing, and targeted attacks. While many passwords are outdated, the sheer volume ensures some will still work especially given widespread password reuse. Worse, experts warn the dataset may include fresh data from infostealer malware, which harvests current credentials, browser cookies, and autofill details. This hybrid threat combining historical breaches with live infections creates a highly effective tool for cybercriminals, from low-level fraudsters to initial access brokers (IABs) selling corporate network access to ransomware gangs. ### The Fallout: A New Era of Cyber Risk The MOAB’s impact extends beyond individuals. Corporate and government networks are at heightened risk due to employees reusing passwords across personal and work accounts. A single compromised credential could provide attackers with a foothold for devastating intrusions. Security experts emphasize that password-only authentication is now obsolete against such a vast dataset. The breach underscores the urgent need for multi-factor authentication (MFA), particularly phishing-resistant methods like FIDO2 security keys. Continuous monitoring of credentials against breach databases is also critical. With the data now in the wild, the MOAB will fuel cyberattacks for years, marking a sobering shift in the threat landscape. The leak serves as a stark reminder: once exposed, data never truly disappears it only becomes more dangerous.

Kaiser Permanente Settles $46M Lawsuit Over Alleged Patient Data Breaches Kaiser Permanente has agreed to a $46 million settlement to resolve a class-action lawsuit alleging unauthorized sharing of patient data through its websites and mobile apps. The settlement, preliminarily approved in December 2025, stems from multiple lawsuits filed in 2024, which were consolidated into a single case. The lawsuit claimed that from November 2017 to May 2024, Kaiser’s digital platforms used third-party tracking tools including code from Google, Microsoft, Meta, and Twitter/X that transmitted sensitive information without user consent. Exposed data reportedly included IP addresses, names, medical histories, search terms, and user navigation details. Kaiser denied any misuse of data or exposure of Social Security numbers or financial information, stating the settlement was reached to avoid prolonged litigation. Eligible members current or former Kaiser patients in nine states and D.C. who accessed its websites or apps during the affected period may receive a one-time payment of $20 to $40 from the settlement fund, which could increase to $47.5 million. Claims must be filed by March 12, 2026, via the settlement website, with payments distributed after final court approval on May 7, 2026. Payouts will be issued electronically or by check. Kaiser stated it removed the tracking technologies in 2024 and implemented additional safeguards to prevent future incidents. The company maintains no evidence of data misuse but settled to resolve the legal dispute.

A data breach allegedly perpetrated by a disgruntile employee during a period of mass layoffs at Twitter may have resulted in the leakage of profile metadata from up to 2.87 billion users. While the breach does not contain email addresses, the merged dataset from the 2025 leak combined with a previous 2023 leak does, enabling potential phishing attacks and privacy violations. The lack of an official response from Twitter raises concerns about the extent of compromised user data and corporate accountability.

Twitter gave an update on the investigation it initiated after discovering that the personal information of 200 million users was being sold online. There is no proof that the data were obtained through breaking into the company's systems. Since the 200 million dataset was not collected by abusing Twitter's servers, it was unable to be correlated with the previously disclosed incident. The business emphasised that the vast amount of data is probably a component of a publicly accessible dataset that comes from various sources. Based on data and intelligence analysed to look into the matter, there is no proof that the information being sold online was obtained through abusing a flaw in Twitter's infrastructure.

A seller has apparently listed data realted to 400 million Twitter users for sale. The data, that were allegedly scraped due to a vulnerability, included email, name, username, follower_count, creation_date, and phone_number. The seller demanded $276 million USD in GDPR breach fines from Twitter to buy the stolen data exclusively.

Twitter suffered a data breach incident after a threat actor compiled a list of 5.4 million user account profiles by exploiting a now-patched zero-day vulnerability that was used to link email addresses and phone numbers to users' accounts. This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the related account ID. The threat actor verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information, and sold the data for $30,000.

Twitter was targeted by a cyber attack in July 2022. Influencers, celebrities, politicians, journalists, activists,government and private organizations was the prime target. Hackers hacked the Verified Twitter accounts to send fake suspension notices.

Twitter experienced a new security vulnerability that exposed the direct messages of users who access the service using Android devices. The vulnerability exposed the private data of Twitter users running devices with Android OS versions 8 and 9. This vulnerability could allow an attacker, through a malicious app installed on device, to access private Twitter data on people's device by working around Android system permissions that protect against this.

In July 2020, Twitter suffered a high-profile breach orchestrated by Joseph James O'Connor ('PlugwalkJoe') and accomplices, who exploited SIM-swapping and social engineering to gain access to internal admin tools. The attackers hijacked verified accounts of prominent figures (e.g., Barack Obama, Bill Gates, Jeff Bezos) to post fraudulent Bitcoin scam tweets, netting over $100,000 in hours. Beyond financial fraud, the breach enabled unauthorized access to private direct messages (DMs), extortion of victims, and threats against celebrities. The incident exposed critical vulnerabilities in Twitter’s identity verification and internal controls, eroding user trust and prompting regulatory scrutiny. While no large-scale data leak of user credentials occurred, the reputational damage was severe, compounded by the platform’s role in facilitating high-profile scams. The UK’s £4.11 million ($5.39M) asset seizure from O’Connor—via civil recovery orders—highlights the breach’s financial and legal fallout, including cross-border enforcement actions. The attack underscored risks of insider tool abuse and account takeover (ATO) via telecom exploits, though no ransomware or systemic outages were reported.

Twitter experienced another security incident. The business users’ billing information was inadvertently stored in the browser’s cache, and others, those who share computers, could have accessed it. That data includes the business users’ email addresses, phone numbers, and the last four digits of their credit card numbers associated with the account.

Twitter has advised all of its 330 million+ users to update their passwords following the discovery of a fault that left them in plain text on internal servers. The number of impacted accounts was not disclosed by the company, but Reuters was informed by a source familiar with the company's response that it was a sizable number. According to the corporation, over 330 million people have been affected, and just one internal system had plain text data kept on it. Twitter declared that the security flaw had been resolved and that an internal inquiry had been launched to determine whether insiders had misused user data.

Twitter suffered a data breach incident, vine users of a bug that exposed their email addresses and, in some cases, phone numbers to third parties. In addition, it warns impacted users to be wary of any communications coming from unfamiliar senders. Twitter asked users to do not need to reset passwords on their Vine accounts, but should be aware that any official communications from Vine will come from an @twitter.com email address. Twitter never ask you via email to open an attachment or request your password.

A bug in Twitter about how it handles password reminders allowed users to take control of other accounts such as @emoji and @god. Usually if a user went to reset a password, it would partially asterisking the mail out, however this time it displayed the full email address tied to it. This allowed hackers to hijack many accounts and tweet on their behalf, but majority of accounts that were soon taken over were restored to normal.