An apparent Twitter hack exposed the personal data from over 200 million Twitter accounts, and that information is easily available on the dark web, according to multiple news reports.
The leak reportedly contains a combination of names, usernames, and email addresses. It was posted on the dark web on Wednesday, by a user with the name “StayMad.” You can purchase it for about $2 in cryptocurrency, per Gizmodo.
The leak comes from a vulnerability in Twitter’s systems that was likely accessed in 2021. The error has now generated an enormous database of information on users that could have security implications ranging from individual hacks to backlash against anonymous and high-profile accounts on the platform.
“Bad actors have won the jackpot,” said Rafi Mendelsohn, vice president of marketing at Cyabra, a company that monitors and mitigates misinformation online, per CNN.
The flaw was first highlighted publicly in July 2022, when some 5 million Twitter users and email accounts were claimed to have been obtained and then posted online. The company promised to investigate. The leak also led to an investigation from Ireland’s Data Protection Commission.
But the database could have been created using the same vulnerability earlier than that, likely towards the end of 2021, per The Washington Post. With the gap, a hacker could feed Twitter’s API an email address, and the system would reveal if the email or phone number was associated with a Twitter account, said Jamie Boote of software security company Synopsys, per Bloomberg.
This process was then automated, generating an enormous database of information linked to Twitter accounts.
Twitter also said it stopped the problem, but it was too late for this database.
This is an issue for a host of reasons. The hack could be used to get into accounts that are not Twitter, particularly if some of the information is the same or similar, per CNN.
Essentially, it’s not just about usernames and emails.
“Previously private data such as emails, handles, and creation date can be leveraged to build smarter and more sophisticated hacking, phishing and disinformation campaigns,” Mendelsohn added to the outlet.
In any case, the data set has already been circulated around and sold privately, Alon Gal, of Hudson Rock, a security company based in Israel, told the Post.
Elon Musk purchased Twitter in October and later laid off half of its staff, resulting in concerns over things like hate speech moderation or the viability of Twitter Spaces.
But the company’s security issues actually go back much further.
Twitter settled with the Federal Trade Commission (FTC) in 2011 over “charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information,” the agency wrote at the time.
“Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic,” the agency said in its complaint.
The FTC required compliance issues from Twitter such as independent audits.
But in a stunning whistleblower document and testimony before Congress in September, Peiter “Mudge” Zatko, who was a security chief at Twitter, said the company had severe security issues — and that it wasn’t complying with its agreements with the FTC. This, as CNN noted, is a serious violation.
“Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a Twitter spokesperson told CNBC at the time. (Post-acquisition, the company’s communication staff were all laid off).
Per CNN, a security expert, Troy Hunt, said he reviewed the data and found over 200 million email addresses. Entrepreneur was not able to independently verify the leaked data. The Post reported that researchers said there were 235 million leaked accounts. It’s difficult to nail down the exact number because data leaks like these often have duplicates, per The Verge.
According to the Post, this data could be used to identify anonymous critics of governments who censor or retaliate against critics. (China is one example of such a country.) It could also be used to hack and export high-profile accounts.
To be cautious, however, users can take a few measures to protect themselves, per Bloomberg: Change your password and email address and add two-step verification.
After the July phone number and email leak, Twitter recommended removing identifiable or publicly known email addresses or (phone numbers) from an account that you want to stay anonymous, the outlet noted.