CNN
—
Email addresses associated with more than 200 million Twitter profiles are now circulating on underground hacker forums, security experts say. The apparent data leak could expose the real-life identities of anonymous Twitter users and make it easier for criminals to steal Twitter accounts or even victims’ accounts on other websites.
According to forum listings reviewed by security researchers and shared with CNN, the leaked records include Twitter user names, account handles, follower numbers and account creation dates.
“The bad actors hit the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analytics firm focused on identifying misinformation and suspicious online behavior. “Previously personal information such as emails, handles and creation history can be used to create smarter and more sophisticated hacking, phishing and disinformation campaigns.”
Some reports have suggested that the data was collected in 2021 through a bug in Twitter’s systems, a flaw by the company. It is set in 2022 It alerted the company to the vulnerability in July after a separate incident involving 5.4 million Twitter accounts.
Troy Hunt, security researcher, he said Thursday’s data analysis found “211,524,284 unique email addresses” that was leaked. The Washington Post previously reported on a forum listing 235 million accounts.
Hunt did not immediately respond to CNN’s question about whether the posts would be added to haveibeenpwned.com, which allows users to search hacked records to determine if they were affected. CNN has not independently verified the authenticity of the recordings.
Twitter did not immediately respond to a request for comment. Twitter’s communications team was gutted along with roughly half of its total workforce after billionaire Elon Musk bought the company in late October. Significant staff reductions may raise concerns about a company’s ability to respond to security threats.
Security researchers warn that the breadth of leaked data could allow malicious actors or repressive governments to link anonymous Twitter accounts to their owners’ real names or email addresses, potentially exposing dissidents, journalists, activists or other at-risk users. .
“For these people, it’s a very serious breach,” said John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab.
Account information can also be valuable to hackers who can use the information as part of password reset attempts and account takeovers. According to the researchers, people using the same account credentials on Twitter, as they use for other digital services such as banks or cloud storage, are at particularly high risk because hackers can take information collected from the leak to hide public user accounts elsewhere.
Security experts warn that apparently compromised verified Twitter users or users with particularly large followings will be particularly valuable targets in a breach, as those account holders are particularly influential celebrities or vulnerable to extortion.
Internet users should use unique passwords for each online service and keep track of them with a digital password manager to protect against phishing attempts, security researchers say. They should also enable multi-factor authentication for each of their accounts and exercise caution when opening unsolicited emails or links.
According to BleepingComputer, a cybersecurity news outlet that claims to have tested the data, the latest dump is similar to a leaked data set of 400 million records announced on hacker forums in November, but scaled down to remove some duplicate records. Twitter has not commented on the leak.
Leak reports could expand Twitter’s already significant legal and regulatory exposure.
In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it was investigating the July 2022 leak as a possible breach of Europe’s signature privacy law, known as GDPR.
Last summer, Peter “Mudge” Zatko, the company’s former head of security, submitted a report to the US government detailing long-overlooked security vulnerabilities in Twitter’s operations. Zatko argued that Twitter’s security lapses represent a breach of Twitter’s obligations to the Federal Trade Commission, which is a serious crime. (Twitter has widely and repeatedly retracted Zatko’s claims.)
A series of incidents at Twitter have led the company to sign two consent orders with the FTC since 2011 to improve its cybersecurity posture. Violations of FTC orders can result in fines, business restrictions, and even sanctions against individual executives.
In November, top Twitter officials in charge of privacy and security resigned from the company, days after Musk closed the purchase of the platform, and amid massive layoffs that in some cases cut across entire departments.