Rosie Struve; Getty Images
Following reports in late 2022 that hackers were selling stolen data from 400 million Twitter users, researchers now say a widespread pool of email addresses associated with about 200 million users is likely a refined version of the larger pool , which has duplicate entries removed. The social network has yet to comment on the massive disclosure, but the data cache clarifies the severity of the leak and who may be most at risk as a result.
From June 2021 to January 2022, there was a bug in a Twitter programming interface or API that allowed attackers to submit contact information, such as email addresses, in return for receiving the associated Twitter account, if any. Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn’t allow hackers to access passwords or other sensitive information like DMs, it revealed the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers associated with them, potentially allowing users to be identified could.
While live, the vulnerability appears to have been exploited by multiple actors to build various data collections. One, which has been circulating on crime forums since the summer, contained the email addresses and phone numbers of about 5.4 million Twitter users. The huge treasure trove that has just surfaced appears to contain only email addresses. However, the widespread distribution of the data carries the risk that it fuels phishing attacks, identity theft attempts and other individual attacks.
Twitter has not responded to WIRED requests for comment. The enterprise wrote about the API vulnerability in an August disclosure: “When we found out about it, we immediately investigated and fixed it. At the time, we had no evidence that anyone had exploited the vulnerability.” Apparently, Twitter’s telemetry was insufficient to detect the malicious scraping.
advertising
Twitter is far from the first platform to subject data to bulk scraping through an API flaw, and it’s common in such scenarios that there is confusion about how many different data assets actually exist as a result of malicious exploitation. However, these incidents are still significant as they add further connections and validation to the massive amount of stolen data already existing in the criminal ecosystem about users.
“Apparently there are several people who were aware of this API vulnerability and several people who spied on it. Did different people scrape different things? How many treasure troves are there? It doesn’t matter,” says Troy Hunt, founder of breach tracking website HaveIBeenPwned. Hunt included the Twitter record in HaveIBeenPwned and says it contained information on more than 200 million accounts. Ninety-eight percent of the email addresses had already been exposed in previous breaches recorded by HaveIBeenPwned. And Hunt says he’s sent notification emails to nearly 1,064,000 of his service’s 4,400,000 million email subscribers.
“It’s the first time I’ve sent a seven-digit email,” he says. “Nearly a quarter of my total subscriber corpus is truly significant. But with so much of it already out there, I don’t think this will be an incident that’s going to have a long tail in terms of impact. But it can de-anonymize people. What worries me more are the people who wanted to protect their privacy.”
Twitter wrote in August that it shares concerns about the possibility of users’ pseudonymous accounts being linked to their real identities due to the API vulnerability.
“If you are running a pseudonymous Twitter account, we understand the risks an incident like this can pose and we deeply regret that this has happened,” the company wrote. “To keep your identity as obfuscated as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”
However, for users who had not already linked their Twitter handles to Burner email accounts at the time of the scraping, the advice comes too late. In August, the social network said it was notifying potentially affected people about the situation. The company hasn’t said whether it will make any further notifications given the hundreds of millions of records disclosed.
The Irish Data Protection Commission said last month it was investigating the incident, which yielded the email addresses and phone numbers of 5.4 million users. Twitter is also currently under investigation by the US Federal Trade Commission for violating a “Consent Decree” that obliges Twitter to improve the privacy and data protection measures of its users.
This story originally appeared on wired.com.