After reporting at After hackers sold stolen data from 400 million Twitter users by the end of 2022, researchers now say that a pool of widely circulated email addresses linked to around 200 million users could is a tweaked version of a larger repository with duplicate entries removed. The social network has yet to comment on the major leak, but the data cache makes clear the severity of the leak and who might be most at risk as a result of it.
From June 2021 to January 2022, there was a bug in the Twitter application programming interface or API that would allow an attacker to send contact information such as email address and get back the associated Twitter account, if available. . Before it was patched, attackers exploited the vulnerability to “scrape” data from the social network. And while the bug didn’t allow hackers to access passwords or other sensitive information like DMs, it did expose connections between Twitter accounts, often pseudonyms, with email addresses and phone numbers associated with them. associated with them, capable of identifying users.
While it was active, this vulnerability appears to have been exploited by multiple actors to build various data collections. A document that has been circulating on crime forums since the summer includes the email address and phone number of about 5.4 million Twitter users. The huge new data warehouse appears to contain only email addresses. However, the widespread circulation of data creates the risk that it will promote phishing attacks, identity theft efforts, and other personal targeting.
Twitter did not respond to WIRED’s request for comment. The company Written about the API vulnerability in an August disclosure: “When we became aware of this, we immediately investigated and fixed it. At the time, we had no evidence that anyone took advantage of this vulnerability.” Apparently, Twitter telemetry isn’t enough to detect malicious scraping.
Twitter is not the first platform to expose data for mass scraping through an API vulnerability, and normally in such situations there will be confusion about how many distinct datastores actually exist is the result of malicious exploitation. However, these incidents are still important because they add more connectivity and authentication to the large volumes of stolen data that already exist in the criminal ecosystem of users.
“Obviously, a lot of people were aware of this API vulnerability and a lot of people scraped it. Are different people shaving different things? How many warehouses are there? Troy Hunt, founder of the breach tracking website HaveIBeenPwned. Hunt imported the Twitter dataset into HaveIBeenPwned and says it represents information on more than 200 million accounts. 98% of email addresses were exposed in previous breaches recorded by HaveIBeenPwned. And Hunt said he’s emailed notifications to nearly 1,064,000 of the service’s 4.4 million email subscribers.
“This is my first time sending a seven-digit email,” he said. “Almost a quarter of my entire subscriber pool is really important. But since so much has happened there, I don’t think this will be an incident with lasting effects. But it can de-anonymize people. What worries me more is individuals who want to maintain their privacy.”