Hackers publish email addresses linked to 200 million Twitter accounts

Email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums, security experts say.

The apparent data leak could expose the real identities of anonymous Twitter users and make it easier for criminals to hijack accounts, experts warned, or even victims’ accounts on other sites.

The trove of leaked logs also includes Twitter usernames, account names, number of followers and account creation dates, according to lists on forums reviewed by security researchers and shared with the CNN .

Rafi Mendelsohn, spokesperson for Cyabra, a social media analytics company that focuses on identifying misinformation and inauthentic behavior on the Internet, says: “The bad guys hit the jackpot.”

“Formerly private data such as email addresses, usernames and creation date can be leveraged to create smarter and more sophisticated hacking, phishing and disinformation campaigns.”

Some reports suggested the data was collected in 2021 via a bug in Twitter’s systems, a flaw the company corrected in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted the company to the vulnerability.

Troy Hunt, a security researcher, said Thursday that his analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post previously reported that a forum was promoting the data of 235 million accounts.

Hunt did not immediately respond to a question from CNN about whether records would be added to its website, haveibeenpwned.com, which allows users to search for hacked records to determine if they were affected.

THE CNN did not independently verify the authenticity of the records.

Twitter did not immediately respond to a request for comment. Its communications team, about half of Twitter’s total staff, was laid off after billionaire Elon Musk completed his takeover of the company in late October.

Large staff reductions can now raise concerns about the company’s ability to respond to security threats.

The breadth of leaked data could allow malicious actors or repressive governments to link anonymous Twitter accounts to the real names or email addresses of their owners, potentially exposing dissidents, journalists, activists or other users worldwide at risk. , warn security researchers.

“For these people, this is a very important vulnerability,” says John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab.
Account data can also be valuable to hackers, who can use it to try to reset passwords and hijack accounts.

According to the researchers, the risk is especially high for people who use the same account credentials on Twitter and other digital services, such as banking or cloud storage, because hackers can use the information obtained from the leak to open other sites.

Verified Twitter users affected by the apparent leak, or users with particularly high follower counts, will be especially valuable targets as a result of the leak, security experts have warned, as the account holders could be particularly influential celebrities or susceptible to extortion.

To protect against phishing attempts, users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. They should also enable multi-factor authentication for each of their accounts and be careful about opening unsolicited emails or links.

According to cybersecurity agency BleepingComputer, which said it had analyzed the data, the recent leak appears similar to one announced on hacker forums in November, which contained 400 million records, although it has been scaled down to remove some duplicates. Twitter has not commented on this leak.

Reports of the leak could increase Twitter’s already significant legal and regulatory risk.

In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it was investigating the July 2022 leak as a potential breach of Europe’s most important privacy law, known as the GDPR.

Last summer, the company’s former security chief, Peiter “Mudge” Zatko, filed a report with the US government exposing long-ignored security vulnerabilities in Twitter’s operations. Zatko claimed that Twitter’s security deficiencies reflected a breach of the company’s binding commitments to the Federal Trade Commission (FTC), which constituted a crime. Twitter has largely and repeatedly refuted Zatko’s allegations.

Successive Twitter incidents have led the company to sign two consent forms with the FTC since 2011 to improve its cybersecurity posture. Failure to comply with FTC orders can result in fines, business restrictions and even penalties against individual executives.

In November, top Twitter officials responsible for privacy and security resigned from the company, just days after Musk closed on the acquisition of the platform and amid mass layoffs that, in some cases, affected entire departments.