Leaked Twitter email addresses number at least 200 million

Leaked Twitter email addresses number at least 200 million
Written by admin


Registrations for 235 million Twitter accounts and the email addresses used to register them have been posted on an online hacking forum, setting the stage for anonymous identifiers to be linked to real-world identities.

That raises threats of exposure, arrest or violence against people who used Twitter to criticize governments or powerful people, and could expose others to extortion, security experts said. Hackers could also use email addresses to try to reset passwords and take control of accounts, especially those not protected by two-factor authentication.

“This database will be used by hackers, political hacktivists and, of course, governments to further damage our privacy,” said Alon Gal, co-founder of Israeli security firm Hudson Rock, who saw the post on a popular underground market. .

The logs were likely compiled in late 2021, using a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find any accounts that had shared that information with Twitter. Those searches could be automated to check an unlimited list of emails or phone numbers.

Twitter said in August that it had learned of the vulnerability in January 2022 through its bug bounty program and that the vulnerability had been accidentally introduced in a code update seven months earlier.

In July, hackers were seen selling a set of 5.4 million Twitter account identifiers and associated emails and phone numbers, which Twitter said was the first it knew someone had taken advantage of the flaw.

The much larger data dump was almost certainly compiled in the same way and offered for private sale and circulated for a while before the recent publication, Gal said.

The Irish Data Protection Commission said last month that it was doing research the above breach and that the European General Data Protection Regulation may have been violated. The new batch is likely to increase the intensity of that investigation and an ongoing investigation by the US Federal Trade Commission into whether Twitter has been violating consent decrees in which it promised to better protect user data. The FTC declined to comment.

Three quarters of Twitter users live outside of the United States and Canada.

Twitter did not respond to an email seeking comment and asking if the company had any advice for users.

Those users with the lowest risk provided email addresses that were either disposable or not linked to them elsewhere. But even they could be subject to account takeover attempts, phishing, or email threats.

In its earlier statement, Twitter said it fixed the flaw when it found out about it, but didn’t say how long the process took. The January 2022 report came during a chaotic month when the company fired its two top security officers.

One of them, Peiter Zatko, had been arguing internally that Twitter was not prepared to defend itself against hacking attempts, and then filed a formal complaint with the Securities and Exchange Commission and proved the shortcomings in Congress.

While 235 million published records is among the largest breaches anywhere, it’s just the latest in a series of Twitter security disasters dating back more than a decade. The frequent account takeovers led to a 2011 agreement with the FTC that Zatko says the company has been violating.

While Elon Musk previously used Zatko’s testimony about security poor practices in a failed attempt not to buy the company, he has since fired many of his security employees.

About the author


Leave a Comment