"The Consequences of the Twitter Email Leak Affecting 200 Million Users"

In January 2022, it was reported that hackers were selling data stolen from 400 million Twitter users. Researchers have now discovered a widely circulated trove of email addresses that is believed to be a refined version of the larger trove, with duplicate entries removed, linked to approximately 200 million users. The cache of data provides further insight into the severity of the leak and those who may be most at risk as a result.

From June 2021 to January 2022, there was a bug in a Twitter API that allowed attackers to submit contact information, such as email addresses, and receive the associated Twitter account, if one existed. The bug was exploited by hackers to scrape data from the social network before it was patched. While the bug did not allow hackers to access passwords or other sensitive information, it did expose the connection between Twitter accounts and the email addresses and phone numbers linked to them, potentially identifying users.

The vulnerability was apparently exploited by multiple actors to create various collections of data. One collection, which has been circulated in criminal forums since the summer, contained the email addresses and phone numbers of about 5.4 million Twitter users. The newly surfaced trove seems to only contain email addresses, but the widespread circulation of the data increases the risk of phishing attacks, identity theft attempts, and other individual targeting.

Twitter did not comment on the incident. The company stated in an August disclosure that it immediately investigated and fixed the vulnerability as soon as it was discovered and that there was no evidence to suggest that it had been exploited. These types of incidents, while significant, are not uncommon and often lead to confusion about the number of distinct troves of data that are created as a result of malicious exploitation. These incidents are significant because they add more connections and validation to the large amount of stolen data that already exists in the criminal ecosystem about users.

The founder of HaveIBeenPwned, a breach-tracking site, ingested the Twitter data set into the site and reported that it contained information about more than 200 million accounts. Almost 98% of the email addresses had already been exposed in past breaches recorded by HaveIBeenPwned.

Twitter stated in August that it shared concerns about the potential for users' pseudonymous accounts to be linked to their real identities as a result of the API vulnerability and recommended that users not add a publicly known phone number or email address to their Twitter account to maintain privacy.