Usernames and email addresses belonging to more than 200 million Twitter users have been posted online by hackers.
According to reports from security researchers and media outlets including BleepingComputer, the credentials were compiled from a number of earlier Twitter breaches dating back to 2021. Although the database does not include users’ passwords, it nevertheless represents a security threat to those affected.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the hack on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames, as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups — entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July that year. This most recent database of more than 200 million accounts seems to have its origins in this years-old vulnerability, which went unnoticed by Twitter for roughly seven months.