Email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums, security experts say. The apparent data leak could expose the real-life identities of anonymous Twitter users and make it easier for criminals to hijack Twitter accounts, the experts warned, or even victims’ accounts on other websites.
The trove of leaked records also includes Twitter users’ names, account handles, follower numbers and the dates the accounts were created, according to forum listings reviewed by security researchers and shared with CNN.
“Bad actors have won the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analysis firm focused on identifying disinformation and inauthentic online behavior. “Previously private data such as emails, handles, and creation date can be leveraged to build smarter and more sophisticated hacking, phishing and disinformation campaigns.”
Some reports suggested the data was collected in 2021 through a bug in Twitter’s systems, a flaw the company fixed in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted the company to the vulnerability.
Troy Hunt, a security researcher, said Thursday that his analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post earlier reported a forum listing promoting the data of 235 million accounts.
Hunt did not immediately respond to a question from CNN asking whether the records would be added to his website, haveibeenpwned.com, which allows users to search hacked records to determine if they have been affected. CNN has not independently verified the records’ authenticity.
Twitter didn’t immediately respond to a request for comment. Its communication team, along with roughly half of Twitter’s overall workforce, was gutted after billionaire Elon Musk completed his acquisition the company in late October. The significant staff reductions could now add to concerns about the company’s ability to respond to security threats.
The breadth of the leaked data could allow malicious actors or repressive governments to connect anonymous Twitter handles with the real names or email addresses of their owners, potentially unmasking dissidents, journalists, activists or other at-risk users around the world, security researchers warn.
“For those people, this is a very consequential breach,” said John Scott-Railton, a security researcher at The University of Toronto’s Citizen Lab.
The account data could also be valuable to hackers who can use the information as part of password-reset attempts and account takeovers. The risk is particularly high for individuals who use the same account credentials on Twitter as they do for other digital services such as banks or cloud storage, researchers said, because hackers could take information gleaned from the leak to pry open user accounts elsewhere.
Verified Twitter users caught up in the apparent leak, or users with particularly large followings, will be particularly valuable targets as a result of the leak, security experts warned, as those account holders may be especially influential celebrities or susceptible to extortion.
To protect themselves from phishing attempts, internet users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. They should also enable multi-factor authentication for each of their accounts, and exercise caution when opening unsolicited email or links.
According to the cybersecurity news outlet BleepingComputer, which did claim to test the data, the latest dump appears similar to a leaked dataset advertised on hacking forums in November containing an alleged 400 million records, but slimmed down to eliminate some duplicate records. Twitter has not commented on that leak.
Reports of the leak could expand Twitter’s already significant legal and regulatory risk.
In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it is investigating the July 2022 leak as a possible violation of Europe’s signature privacy law, known as GDPR.
Last summer, the company’s former head of security, Peiter “Mudge” Zatko, filed a whistleblower report to the US government alleging long-ignored security vulnerabilities in Twitter’s operations. Zatko claimed that Twitter’s shortcomings on security reflected a breach of Twitter’s binding commitments to the Federal Trade Commission, a serious offense. (Twitter broadly and repeatedly pushed back at Zatko’s allegations.)
Successive incidents at Twitter have led to the company signing two consent orders with the FTC since 2011 to improve its cybersecurity posture. Violations of FTC orders can lead to fines, business restrictions and even sanctions targeting individual executives.
In November, top Twitter officials responsible for privacy and security resigned from the company, just days after Musk closed his purchase of the platform and amid the mass layoffs that in some cases cut whole departments.