Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Over 200m Twitter users’ emails have been leaked online

Quite aside from the ongoing car crash that is Elon Musk’s tenure as CEO of the social media company, Twitter has not had a great time recently — especially when it comes to security.

user icon David Hollingworth
Fri, 06 Jan 2023
Over 200m Twitter users’ emails have been leaked online
expand image

Twitter’s most recent security woes involve the leak of 235 million user emails and profiles. This is somewhat of an improvement on the initial figure of 400 million emails leaked, which was initially revealed by Israeli security firm Hudson Rock.

The 400-million figure is now supposed to have contained a number of duplicate files that have since been removed, according to Alon Gal, the company’s chief technology officer and co-founder.

“I now believe the final count of this database is 235,000,000 users rather than the initial 400,000,000 figure,” Gal said on Twitter. “Further the database likely contains the email addresses (private information) and public information of Twitter users - but not their phone numbers.”

============
============

The information appears to have been on the market since July of last year, and dates back to an API vulnerability that has since been patched. Personal data gleaned from previous breaches was then used to match user emails to their phone numbers.

Data breach expert Troy Hunt of Have I Been Pwned is already tracking the incident.

“The data was obtained sometime in 2021 by abusing an API that enabled email addresses to be resolved to Twitter profiles,” Have I Been Pwned reports. “The subsequent results were then composed into a corpus of data containing email addresses alongside public Twitter profile information including names, usernames and follower counts.”

According to Gal, “This is one of the most significant leaks I’ve seen”. However, many have questioned his claims, via his comments on both Twitter and LinkedIn, arguing that this information was not that hard to come by in the first place, and was simply scraped from the site.

“Given the only non-public data it contains is the email address, this won’t directly lead to anything: the hacker must still infiltrate the email address or the account itself,” said Ron Scott-Adams, competitive strategist at VMware.

Gal believes the data is far more useful — and dangerous. He believes it can be used to target crypto and political accounts, among other things.

“It goes without saying that agencies around the world will use this database as well to further harm our privacy,” Gal said.

The Guardian reported last year that former prime minister Scott Morrison’s email address was a part of the leaked data, alongside a number of other high-profile accounts. Gal believes the leak to be in part responsible for the hacking of media commentator Piers Morgan’s account, after it tweeted a raft of abusive messages, before having all its content wiped in December.

This most recent breach follows a costly incident in the middle of last year. After 5.4 million user records were leaked in July of 2022, Twitter was then accused of attempting to cover up the breach.

We have reached out to Twitter for comment.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.