A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. BleepingComputer has confirmed the validity of many of the email addresses listed in the leak.
Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces.
These data sets were created in 2021 by exploiting aTwitter API vulnerabilitythat allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID.
The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.
Though Twitter fixed this flawin January 2022, multiple threat actors have recently begun to leak the data sets they collected over a year ago for free.
Thefirst data set of 5.4 million userswas put up for sale in July for $30,000 and ultimatelyreleased for freeon November 27th, 2022. Another data set allegedly containing the data for 17 million users was also circulating privately in November.
More recently, a threat actor began selling a data set that they claimed contained 400million Twitter profiles collected using this vulnerability.
200 million lines of Twitter profiles released for free
Today, a threat actor released a data set consisting of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum's currency, worth approximately $2.
This data set is allegedly the same as the 400 million set circulating in November but cleaned up to not contain duplicates, reducing the total to around 221,608,279 lines.However, BleepingComputer's tests have also confirmed duplicates in this latestleaked data.
The data was released as a RAR archive consisting of six text files for a combined size of 59 GB of data.
Each line in the files represents a Twitter user and their data, which includes email addresses, names, screen names, follow counts, and account creation dates, as shown below.
Unlike previously leaked data collected using this Twitter API flaw, today's leak does not indicate whether an account is verified.
While BleepingComputer has been able to confirm that the email addresses are correct for many of the listed Twitter profiles, the full data set has obviously not been confirmed.
Furthermore, the data set is far from complete, as there were many users who were not found in the leak.
Whether or not your information is in this data set highly depends on whether your email address was exposed in previous data breaches.
In 2021, the threat actors created massive lists of email addresses and phone numbers that were exposed in previous data breaches.
The scrapers then fed these lists into the API bug to see if your number or email address was associated with a corresponding Twitter ID with the email or phone number.
If your email address is only used at Twitter or was not in many data breaches, it would not have been fed into the API bug and added to this data set.
BleepingComputer has contacted Twitter regarding this leaked data but has not received a response to this or our previous emails.
Is your email in the leak?
Data breach notification serviceHave I Been Pwned(HIBP) has added the Twitter data leak to its system and has begun notifying subscribers if their email was found in the data set.
Troy Hunt, the creator of HIBP, told BleepingComputer that there is a total of 211,524,284 unique email addresses in the leak, down from the original number of 221,608,279 lines.
To check if your email is part of the Twitter leak, you can visit Have I Been Pwned and search with your email. If your email is part of the leak, HIBP will notify you with the list of detected data breaches, including the Twitter one, shown below.
What should you do if your listed?
Even though this data leak only contains email addresses, it could be used by threat actors to conduct phishing attacks against accounts, especially verified ones.
Verified accounts with large followers are highly valued as they are often used to steal cryptocurrency through online scams.
This leak is also a significant privacy concern, especially for Twitter users who tweet anonymously. With this leak, it may be possible to identify anonymous Twitter users and expose their real identities.
All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.
Unfortunately, if you are concerned about your identity being revealed by a leaked email address, there is not much you can do.
Update 1/5/23: Twitter users can now search on Have I Been Pwned to see if they are in the leak.
Related Articles:
Cox fixed an API auth bypass exposing millions of modems to attacks
Dallas County: Data of 200,000 exposed in 2023 ransomware attack
GitLab: Critical bug lets attackers run pipelines as other users
CISA urges devs to weed out OS command injection vulnerabilities
CISA urges software devs to weed out SQL injection vulnerabilities
