Rosie Struve; Getty Images
After reports that hackers sold information stolen from 400 million Twitter users in late 2022, researchers now say the widely distributed email addresses associated with about 200 million users are likely an enhanced version of a larger collection that has been stripped of duplicate entries. The social network has yet to comment on the massive disclosure, but the cache of data sheds light on the severity of the leak and who may be at greater risk as a result.
Between June 2021 and January 2022, there was a bug in Twitter’s application programming interface, or API, that allowed attackers to submit contact information, such as email addresses, in exchange for the associated Twitter account, if any. Before it was patched, attackers used the flaw to “scrape” data on the social network. While the flaw did not allow hackers to access passwords or other sensitive information such as DMs, it did expose links between Twitter accounts, often pseudonymous, and the email addresses and phone numbers associated with them, potentially identifying users.
While live, the vulnerability was exploited by many actors to create various data collections. One that has been circulating on crime forums since the summer contains the email addresses and phone numbers of nearly 5.4 million Twitter users. A massive, newly emerging treasure trove contains only email addresses. However, the widespread distribution of data creates the risk that it can fuel phishing attacks, identity theft attempts, and other individual targets.
Twitter did not respond to WIRED’s requests for comment. Company he wrote On the API vulnerability in an August statement: “When we learned of it, we immediately investigated and fixed it. At the time, we had no evidence that anyone had exploited the vulnerability.” Apparently, Twitter’s telemetry wasn’t enough to detect the malicious scrap.
Twitter is far from the first platform to suffer a mass data deletion due to an API flaw, and in such scenarios, it’s common for confusion about how many different pools of data actually exist as a result of a malicious exploit. These events are still significant because they add more connections and validation to the massive amount of stolen data already available in the criminal ecosystem about users.
“Obviously there are a lot of people who are aware of this API vulnerability and are cracking it. Did different people break different things? How many graves are there? It doesn’t matter,” says Troy Hunt, founder of the breach-tracking site HaveIBeenPwned. Hunt included the Twitter data set in HaveIBeenPwned, which he says represents information on more than 200 million accounts. Ninety-eight of the email addresses had already been subject to past breaches recorded by HaveIBeenPwned. Hunt says he sent a notification email to about 1,064,000 of his service’s 4,400,000 million email subscribers.
“It’s the first time I’ve sent a seven-figure letter,” he says. “Almost a quarter of my total subscriber base is really significant. But since most of these are already there, I don’t think it will be a long-tail event in terms of impact. But it can anonymize people. What worries me more are the people who want to protect their privacy.”
Twitter wrote in August that it shared this concern about the potential for users’ pseudonymous accounts to be linked to their real identities as a result of an API vulnerability.
“If you operate a Twitter account with a pseudonym, we understand the risks that an incident like this can bring, and we deeply regret that this has happened,” the company wrote. “To keep your identity as private as possible, we recommend that you do not add a publicly known phone number or email address to your Twitter account.”
For users who didn’t link their Twitter handles to their burner email accounts at the time of the crash, the tip comes too late. In August, the social network said it was alerting potentially affected individuals about the situation. The company has not said whether it will issue additional warnings in light of the hundreds of millions of leaked records.
Ireland’s Data Protection Commission said last month it was investigating the incident, which resulted in the email addresses and phone numbers of 5.4 million users. Twitter is also currently under investigation by the US Federal Trade Commission into whether the company violated a “consent decree” that obliges Twitter to improve its user privacy and data protection measures.
This story originally appeared on wired.com.