Comment on this story
comment
Records of 235 million Twitter accounts and the email addresses used them were posted to an online hacking forum, setting the stage for tying anonymous handles to real-world identities.
This carries threats of exposure, arrest or violence against people who have used Twitter to criticize governments or powerful individuals, and it could open others to blackmail, security experts said. Hackers could also use the email addresses to try to reset passwords and gain control of accounts, particularly those not protected by two-factor authentication.
“This database is used by hackers, political hacktivists and of course governments to further damage our privacy,” said Alon Gal, co-founder of Israeli security firm Hudson Rock, who spotted the posting on a popular underground marketplace.
The records were likely compiled in late 2021, exploiting a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter. These searches could be automated to check an unlimited list of emails or phone numbers.
Twitter announced August that it learned of the vulnerability in January 2022 through its bug report rewards program and that the vulnerability had been inadvertently introduced in a code update seven months earlier.
In July, hackers were spotted selling 5.4 million Twitter account handles and associated email addresses and phone numbers, becoming the first to know that someone had exploited the flaw.
The much larger data dump was almost certainly compiled in the same way and was offered for private sale and circulated for a while prior to the recent release, Gal said.
The Irish Data Protection Commission said last month it was investigating the earlier breach and that it may have breached Europe’s General Data Protection Regulation. The new batch will likely add to the intensity of this investigation and an ongoing US Federal Trade Commission investigation into whether Twitter violated consent orders in which it promised to better protect user data. The FTC declined to comment.
Three quarters of Twitter users live outside of the US and Canada.
Twitter didn’t respond to an email asking for comment and asking if the company had any advice for users.
Those users who pose the lowest risk have provided disposable email addresses or ones not otherwise associated with them. But they, too, could fall victim to account takeover attempts, phishing, or email threats.
In its previous statement, Twitter said it fixed the bug when it found out about it, but didn’t say how long the process took. The January 2022 report came during a chaotic month when the company fired its two top security officers.
One of them, Peiter Zatko, had argued internally that Twitter was grossly unprepared to fend off hacking attempts, and he later filed a formal whistleblower complaint with the Securities and Exchange Commission, testifying in Congress about the shortcomings.
While 235 million published records ranks among the largest breaches ever, this is just the latest in a series of security disasters on Twitter spanning more than a decade. Frequent account takeovers led to a 2011 settlement with the FTC, which Zatko says the company violated.
While Elon Musk previously used Zatko’s testimony of poor security practices in a failed attempt to get out of buying the company, he has since fired many of his security staff.