Email addresses linked to more than 200 million Twitter profiles are now circulating on underground hacker forums, security experts say. The data leak could clearly reveal the real-life identities of anonymous Twitter users and make it easier for criminals to take over Twitter accounts or even victims’ accounts, experts warn on other websites.
The leaked archive also includes Twitter usernames, account names, follower numbers and the date the account was created, according to a forum list reviewed by security researchers and shared with CNN.
“The bad guys have hit the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analytics firm focused on identifying misinformation and dishonest online behavior. “Previously private data like emails, usernames and creation dates can be leveraged to build smarter and more sophisticated hacking, phishing and disinformation campaigns.”
Some reports claim that the data was collected in 2021 through a bug in Twitter’s systems, a flaw the company fixed in 2022 following a separate incident in July involving 5.4. Millions of Twitter accounts alerted the company to the vulnerability.
Troy Hunt, a security researcher, said on Thursday that his data analysis “found 211,524,284 unique email addresses” that had been leaked. The Washington Post previously reported a forum listing that promoted the data of 235 million accounts.
Hunt did not immediately respond to a question from CNN asking if the recordings had been added to his website, haveibeenpwned.com, which allows users to search hacked recordings to determine if they were hacked. influence or not. CNN has not independently verified the authenticity of the profile.
Twitter did not immediately respond to a request for comment. Its communications team, along with about half of Twitter’s overall workforce, were gutted after billionaire Elon Musk completed his acquisition of the company at the end of October. Substantial staff cuts now exist. may raise concerns about a company’s ability to respond to security threats.
The scale of the leaked data could allow malicious actors or repressive governments to connect anonymous Twitter accounts to the owners’ real names or email addresses, security researchers warn. of them, potentially unmasking dissidents, journalists, activists or other risky users around the world.
“For those people, this is a very serious breach,” said John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab.
Account data can also be valuable to hackers, who can use this information as part of password reset and account takeover attempts. The risk is particularly high for individuals who use the same account logins on Twitter, as well as for other digital services like banking or cloud storage, the researchers say. Hackers can take information gathered from the leak to pry open user accounts elsewhere.
Security experts warn that verified Twitter users involved in the apparent leak or users with particularly large followings will be particularly valuable targets as a result of the leak. , as those account holders may be celebrities with special influence or are susceptible to blackmail.
Security researchers say to protect themselves from phishing attempts, internet users should use unique passwords for each online service and track them with a digital password manager. They should also enable multi-factor authentication for each of their accounts, and be cautious about opening unsolicited emails or links.
According to cybersecurity news outlet BleepingComputer, which claimed to examine the data, the latest dump appears to be similar to a leaked dataset advertised on hacking forums in November containing 400 million defendant records. forced, but has been reduced to remove some duplicate records. Twitter did not comment on that leak.
Reports of the leak could expand Twitter’s significant legal and regulatory risks.
In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it was investigating the July 2022 leak for a possible breach of signature privacy laws. of Europe, known as GDPR.
Last summer, the company’s former chief security officer, Peiter “Mudge” Zatko, filed a whistleblower report with the US government alleging long-ignored security vulnerabilities in its operations. of Twitter. Zatko stated that Twitter’s shortcomings in terms of security reflect a breach of Twitter’s binding commitments to the Federal Trade Commission, a serious breach. (Twitter has widely and repeatedly rebutted Zatko’s allegations.)
Repeated incidents at Twitter led the company to sign two consent orders with the FTC since 2011 to improve its cybersecurity situation. Violation of FTC orders can result in fines, business restrictions, and even sanctions targeting individual executives.
In November, Twitter’s top officials responsible for privacy and security resigned from the company, just days after Musk closed his purchase of the platform and amid mass layoffs. , in some cases, cut entire parts.