Twitter breach: 200m email addresses allegedly leaked by hackers

5 Jan 2023

Image: © monticellllo/Stock.adobe.com

Twitter is already being investigated by Ireland’s DPC for an earlier data breach in which more than 5m users may have been affected.

Twitter appears to have suffered a massive data breach as the personal data of roughly 200m users has been leaked online.

The data was investigated by researchers at Privacy Affairs, who claim the information includes email addresses, account names, account handles, account creation dates and number of followers.

The batch of data was shared on a hacker forum and is freely available to download, according to Privacy Affairs. BleepingComputer said it confirmed the validity of some of the email addresses included in the leak.

There were reports last month that a dataset of 400m Twitter users was being sold online, including details of various celebrities. Privacy Affairs believes this is the same dataset, with the figure now reduced to 200m following the removal of duplicates.

Privacy Affairs said the data could be used to determine the real-life identity or location of those affected through social engineering attacks. It could also be used for scam or spam marketing campaigns.

Security experts warned The Washington Post that the leaked data could expose anonymous accounts, which could lead to arrests or violence against people who have criticised governments or powerful individuals on Twitter.

Twitter confirmed in August that hackers had exploited a vulnerability in its system, which allowed people to submit phone numbers and email addresses into Twitter’s API to find any connected Twitter IDs.

The vulnerability resulted from an update Twitter made in June 2021. The company said it learned about this flaw in January 2022 from its bug bounty programme and “immediately investigated and fixed it”. This means the leaked data was likely compiled between June 2021 and January 2022.

There were reports in November that various datasets on Twitter users were being sold online, with estimates that more than 5m users were affected worldwide. This data breach led to an investigation from Ireland’s Data Protection Commission (DPC) to determine if Twitter had breached GDPR.

Twitter also drew the attention of the DPC and other EU watchdogs in August last year after the company’s former head of security, Peiter ‘Mudge’ Zatko, alleged that the social media platform had “extreme” security problems that pose a threat to both its users and shareholders.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com