More than 200 million email addresses of Twitter users were hacked and posted on an online forum, according to a security researcher, reported CNN.
The apparent data leak could expose the real-life identities of anonymous Twitter users and make it easier for criminals to hijack Twitter accounts, the experts warned, or even victims’ accounts on other websites.
“Bad actors have won the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analysis firm focused on identifying disinformation and inauthentic online behavior.
“Previously private data such as emails, handles, and creation date can be leveraged to build smarter and more sophisticated hacking, phishing and disinformation campaigns,” added Mendelsohn.
The leaked records also include Twitter users’ names, account handles, follower numbers and the dates the accounts were created, according to forum listings reviewed by security researchers and shared with CNN.
Troy Hunt, a security researcher, said Thursday that his analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post earlier reported a forum listing promoting the data of 235 million accounts.
Some reports suggested the data was collected in 2021 through a bug in Twitter’s systems, a flaw the company fixed in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted the company to the vulnerability, reported CNN.
Twitter didn’t immediately respond to a request for comment. Its communication team, along with roughly half of Twitter’s overall workforce, was gutted after billionaire Elon Musk completed his acquisition of the company in late October. The significant staff reductions could now add to concerns about the company’s ability to respond to security threats.
The breadth of the leaked data could allow malicious actors or repressive governments to connect anonymous Twitter handles with the real names or email addresses of their owners, potentially unmasking dissidents, journalists, activists, or other at-risk users around the world, security researchers warn.
The account data could also be valuable to hackers who can use the information as part of password-reset attempts and account takeovers. The risk is particularly high for individuals who use the same account credentials on Twitter as they do for other digital services such as banks or cloud storage, researchers said, because hackers could take information gleaned from the leak to pry open user accounts elsewhere, reported CNN.
Verified Twitter users caught up in the apparent leak, or users with particularly large followings, will be particularly valuable targets as a result of the leak, security experts warned, as those account holders may be especially influential celebrities or susceptible to extortion.
To protect themselves from phishing attempts, internet users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. They should also enable multi-factor authentication for each of their accounts, and exercise caution when opening unsolicited email or links, reported CNN.
According to the cybersecurity news outlet BleepingComputer, which did claim to test the data, the latest dump appears similar to a leaked dataset advertised on hacking forums in November containing an alleged 400 million records, but slimmed down to eliminate some duplicate records. Twitter has not commented on that leak.
Reports of the leak could expand Twitter’s already significant legal and regulatory risk.
Successive incidents at Twitter have led to the company signing two consent orders with the FTC since 2011 to improve its cybersecurity posture. Violations of FTC orders can lead to fines, business restrictions and even sanctions targeting individual executives, reported CNN.
Notably in November, top Twitter officials responsible for privacy and security resigned from the company, just days after Musk closed his purchase of the platform and amid the mass layoffs that in some cases cut whole departments.