The breach has been traced back to a 2021 vulnerability and is the latest in a series of cybersecurity debacles to affect the social media site over the past few years.
By JAMES VINCENT
Usernames and email addresses belonging to more than 200 million Twitter users have been posted online by hackers.
According to reports from security researchers and media outlets including BleepingComputer, the credentials were compiled from a number of earlier Twitter breaches dating back to 2021. Although the database does not include users’ passwords, it nevertheless represents a security threat to those affected.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the hack on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames, as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
According to The Washington Post, the database appears to have its roots in 2021, when hackers found a weakness in Twitter’s security measures. The vulnerability allowed malicious actors to mass-enter email addresses and phone numbers to check whether they were connected to Twitter accounts in order to automate account lookups.
When Twitter revealed this flaw in August 2022, it claimed to have fixed it in January of that same year after receiving a bug bounty report. Security experts had already discovered Twitter credential databases for sale in July of that year, despite the company’s denials that it “had no evidence to suggest someone had taken advantage of the vulnerability.” This vulnerability, which dates back years and which Twitter was unaware of for about seven months, appears to be the source of the most recent database, which contains information on more than 200 million accounts.
The incident is just the most recent cybersecurity disaster to affect Twitter, which has long had issues with user data security. Based on initial reports in July 2022, the EU has already opened an investigation into the company for the breach, and the FTC is looking into similar security lapses. In a complaint submitted to the US government in August of last year, Peiter “Mudge” Zatko, the former head of security at Twitter, accused the company of concealing “egregious deficiencies” in its cybersecurity defenses.