The breach has been traced back to a 2021 vulnerability and is the latest in a series of cybersecurity debacles to affect the social media site over the past few years.
Usernames and email addresses belonging to more than 200 million Twitter users have been posted online by hackers.
According to reports from security researchers and media outlets including BleepingComputer, the credentials were compiled from a number of earlier Twitter breaches dating back to 2021. Although the database does not include users’ passwords, it nevertheless represents a security threat to those affected.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the hack on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames, as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups — entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July that year. This most recent database of more than 200 million accounts seems to have its origins in this years-old vulnerability, which went unnoticed by Twitter for roughly seven months.
The breach is only the latest cybersecurity debacle to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses. Last August, Twitter’s former head of security, Peiter “Mudge” Zatko, turned whistleblower on the company, filing a complaint with the US government in which he claimed that the company was covering up “egregious deficiencies” in its cybersecurity defenses.