Usernames and email addresses of more than 200 million Twitter users have been posted online by hackers.
According to reports from security researchers and media including Beeping computerthe credentials are compiled from a number of previous Twitter breaches dating back to 2021. While the database does not contain any users’ passwords, it nevertheless poses a security risk to those affected.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the hack. On LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing and doxxing.”
Estimates of the exact number of users affected by the breach vary, in part due to the tendency of such large-scale data dumps to include duplicate records. Screenshots of the database shared by Beeping computer show it contains a number of text files containing email addresses and associated Twitter usernames, as well as users’ real names (if they’ve shared them with the site), number of followers, and account creation dates. Beeping computer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for just $2.
Troy Hunt, creator of the cybersecurity alert website Am I pwnedalso analyzed the breach and shared its conclusions on TwitterTo: “Found 211,524,284 unique email addresses, seems to be about what it’s described.”
The breach has now been added to Have I been Pwned’s systems, so everyone can visit the site and enter their email address to see if it’s included in the database.
The origin of the database seems to date back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups by entering email addresses and phone numbers en masse to see if they were linked to Twitter accounts.
Twitter disclosed this vulnerability in August 2022 and said it fixed the issue in January of that year after being reported as a bug bounty. The company claimed at the time that it had “no evidence that anyone had exploited the vulnerability,” but cybersecurity experts had spotted databases of Twitter references for sale in July of that year. This most recent database of over 200 million accounts appears to have its origins in this years-long vulnerability, which went undetected by Twitter for about seven months.