In early this year 2023, there was news circulating that hackers stole the email addresses of more than 200 million Twitter users and posted them on an online hacking forum.
Alon Gal, the co-founder of Israeli cybersecurity-monitoring firm Hudson Rock, who first reported the sale of the leaked data, wrote on LinkedIn,
“The database contains 235,000,000 unique records of Twitter users and their email addresses and will, unfortunately, lead to a lot of hacking, targeted phishing, and doxxing. This is one of the most significant leaks I've seen.”
Another report from Privacy Affairs emerged stating data of over 200 million Twitter users were leaked for anyone to download. The leaked data includes account names, handles, creation dates, follower counts, and email addresses, and the data could be used for phishing, doxxing, or hacking users’ Twitter accounts.
Today, Twitter has declined the recent data leak with the statement "there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems."
In the blog post, Twitter wrote -
In January 2022 Twitter received a vulnerability report through their bug bounty program that states that if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email address or phone number was associated with if any. This bug resulted from an update to the Twitter code in June 2021.
Twitter immediately fixed the vulnerability as they get notified about the issue, but the bad actor had taken advantage of the issue before it was addressed. Twitter had acknowledged the data leak and previously informed users in August 2022.
After the publication of the news about the data leak, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases.
After a comprehensive investigation, Twitter noted that
- 5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
- 400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
- 200 million datasets could not be correlated with the previously reported incident or any data originating from the exploitation of Twitter systems.
- Both datasets were the same, though the second one had the duplicated entries removed.
- None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.
According to Twitter, the data is likely a collection of data already publicly available online through different sources. Additionally, Twitter has contacted Data Protection Authorities and other relevant regulators from different countries to provide clarification about the alleged incidents.
Mitigation for Users
As there was no password exposed in the data leak, then also the information contained in the leak data set may affect users. The data could be used for phishing, doxxing, or hacking users’ Twitter accounts by bad actors.
Hence, Twitter also encourages everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect their account from unauthorized logins.
Furthermore, be wary of emails conveying a sense of urgency and emails requesting your private information, as threat actors may leverage the leaked information to create very effective phishing campaigns.