A data leak described as containing the email addresses of 200 million Twitter users has been posted on a popular hacker forum for around $2. BleepingComputer has confirmed the validity of most of the email addresses listed in the leak.
Since July 22, 2022, threat actors and data breach collectors have been selling and disseminating large datasets of recovered Twitter user profiles containing both private data (phone numbers and email addresses) and public on various online hacker forums and cybercrime marketplaces.
These datasets were created in 2021 by leveraging a Twitter API Vulnerability which allowed users to enter email addresses and phone numbers to confirm whether they were associated with a Twitter ID.
The threat actors then used another API to retrieve public data from Twitter for the ID and combined this public data with private email addresses/phone numbers to create Twitter user profiles.
Although Twitter has patched this flaw in January 2022Several threat actors have recently started disclosing datasets they collected over a year ago for free.
the first dataset of 5.4 million users went on sale in July for $30,000 and eventually published for free on November 27, 2022. Another dataset allegedly containing the data of 17 million users was also circulating privately in November.
More recently, a malicious actor began selling a dataset that they claimed contained 400,000 million Twitter profiles collected using this vulnerability.
200 million lines of Twitter profiles published for free
Today, a malicious actor posted a dataset consisting of 200 million Twitter profiles to the Breached hacking forum for eight credits of the forum’s currency, worth around $2.
This data set would be the same as the 400 million set circulating in November, but cleaned to contain duplicates. However, BleepingComputer’s tests also confirmed duplicates in this latest leaked data.
The data was released as a RAR archive consisting of six text files for a combined size of 59 GB of data.
Each row in the files represents a Twitter user and their data, which includes email addresses, names, screen names, number of follows, and account creation dates, as shown below.
Although BleepingComputer was able to confirm that the email addresses are correct for many of the Twitter profiles listed, the full dataset has obviously not been confirmed.
Additionally, the dataset is far from complete, as many users were not found in the leak.
Whether or not your information is in this dataset is highly dependent on whether your email address has been exposed in previous data breaches.
In 2021, threat actors created massive lists of email addresses and phone numbers that were exposed in previous data breaches.
The scrapers then fed these lists into the API bug to see if your number or email address was associated with a corresponding Twitter ID with the email or phone number.
If your email address is only used on Twitter or hasn’t had many data breaches, it wouldn’t have made it into the API bug and added to this dataset.
BleepingComputer contacted Twitter regarding this data breach but did not receive a response to this email or our previous emails.
What should you do?
Even though this data leak only contains email addresses, it could be used by malicious actors to carry out phishing attacks against accounts, especially verified accounts.
Verified accounts with large followers are highly valued as they are often used to steal cryptocurrency through online scams.
This leak is also a significant privacy issue, especially for Twitter users who tweet anonymously. With this leak, it may be possible to identify anonymous Twitter users and expose their true identities.
All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.
Unfortunately, if you’re worried about your identity being revealed by a leaked email address, there’s not much you can do.