Over 200 million email addresses leaked in Twitter breach

The breach has origins in a 2021 vulnerability


Hackers have posted usernames and email addresses belonging to over 200 million Twitter users in a database. The data was compiled from several Twitter breaches dating back to 2021, and while the online database does not include passwords, the collection of data will likely pose a security threat to those exposed.

Several reports from security researchers and media outlets, including The Verge and Bleeping Computer, have detailed the breach, with researcher Alon Gal warning the breach “will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

Bleeping Computer shared screenshots of the database, revealing it contains several text files listing email addresses and linked Twitter usernames along with email addresses and real names (if users shared their real names with Twitter). The database also includes information like users’ follower counts and account creation dates. Bleeping Computer also said it was able to confirm the validity of many email addresses including in the leak. The database is being sold on one hacking forum for as low as $2 USD.

Troy Hunt, who created the cybersecurity alert site ‘Have I Been Pwned‘ to help people check if their phone number or email was included in a data breach, posted on Twitter that he found 211,524,284 unique email addresses in the Twitter breach. “[The breach] looks to be pretty much what it’s been described as,” Hunt wrote.

The breach has since been added to Have I Been Pwned so Twitter users can head to the site and check if their information was included in the breach.

As mentioned above, the Twitter breach can trace its origins back to 2021 when hackers found a vulnerability in Twitter’s security systems. That vulnerability allowed malicious actors to look up accounts with an automated system that entered email addresses and phone numbers to see if they were associated with Twitter accounts.

Twitter disclosed the vulnerability in August 2022 and claimed it fixed the issue in January after it was reported as a bug bounty. Moreover, Twitter said at the time it had “no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity researchers had already found databases of Twitter credentials for sale in July 2022. This latest database of Twitter info appears to have origins in the old vulnerability.

Source: The Verge, Bleeping Computer