Researcher claims hackers stole the email addresses of more than 200 million Twitter users and posted the data on hacking forum
Twitter is facing a fresh security problem this week after a researcher warned that 200 million user email addresses have been leaked online.
The claim was made by Alon Gal, co-founder of Israeli cybersecurity-monitoring firm Hudson Rock on LinkedIn. He alleged that email addresses that were used to set up Twitter accounts, were published on a hacking forum.
Gal added that the database “contains 235,000,000 unique records of Twitter users and their email addresses.” He said the database is “circulating heavily and is now leaked” and will “unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
Leaked Twitter data
According to Alon Gal, the publication of this database is likely to have the following consequences for victims, as it will enable hackers to:
- Target Crypto Twitter accounts (.eth in name or other methods);
- Hack into high profile accounts (follower count or otherwise);
- Hack into “OG” accounts with good usernames;
- Hack into political accounts;
- and Doxx “anonymous” accounts that didn’t use a dedicated email for Twitter
Gal reportedly called it “one of the most significant leaks I’ve seen.”
Silicon UK could not verify the data on the forum was authentic and came from Twitter, and the leaked data could have been obtained before Elon Musk took over Twitter, and sacked most of its workforce.
However noted security researcher Troy Hunt, creator of breach-notification site Have I Been Pwned, analysed the leaked data and said on Twitter that the “addresses are only in the scraped Twitter data because they’d already been compromised elsewhere, and so the cycle continues…”
A couple of quick pieces of commentary now then I’ll do some deeper analysis later on: Firstly, the 98% “pwned before” rate clearly indicates the email addresses were taken from other data breaches then used to query the vulnerable API. https://t.co/zW4pp0UetL
— Troy Hunt (@troyhunt) January 5, 2023
Previous claims about the size and scope of the breach initially varied with early accounts in December saying 400 million email addresses and phone numbers were stolen.
Indeed this week Ireland’s data protection office said it would investigate the apparent security breach.
It came after a hacker, using the handle “Ryushi”, offered a sample of details from about 1,000 accounts on 23 December, the same day that Ireland’s Data Protection Commission (DPC) said it would investigate an earlier Twitter breach that affected about 5.4 million accounts.
Regulators on both sides of the Atlantic have been monitoring the Elon Musk-owned company for compliance with European data protection rules and a US consent order respectively.
In November the Federal Trade Commission (FTC) said it was closely watching Elon Musk’s moves at Twitter with “deep concern”.
It should be remembered that the FTC had reached a settlement with Twitter in May 2022, after the platform was caught using personal user info to target ads.
That May FTC settlement had built on a 2011 agreement binding the company to install reasonable privacy safeguards and be accountable for an information security program.
In May 2022, when Twitter agreed to pay a $150 million penalty for allegedly deceiving users about how their phone numbers would be used to sell ads, the FTC gained new concessions.
Under that order, Twitter reportedly agreed to install an enhanced privacy program and information security program with specific requirements.