A database posted online claims to reveal more than 200 million associated Twitter usernames and email addresses. Now, several days after the initial reports, Twitter says the “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
According to reports from security researchers and media outlets including BleepingComputer, the credentials in the leak were compiled from a number of earlier Twitter breaches dating back to 2021. According to Twitter, however, there is “no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
Its statement addresses the information in the datasets only by saying, “The data is likely a collection of data already publicly available online through different sources.”
The Verge contacted Twitter for additional clarity about the accuracy of the records in the leaks, but Twitter does not have a functioning press office since being acquired by Elon Musk.
Twitter:
5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.
Both datasets were the same, though the second one had the duplicated entries removed.
None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.” The datasets don’t contain passwords, as experts and Twitter have pointed out, but email addresses can still be especially useful for hackers targeting specific accounts.
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups —entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July of that year.
The company also said on Wednesday that its investigations showed that around 5.4 million user accounts had been exposed in November. That appears to be the only dataset it’s attributing to the years-old vulnerability, which went unnoticed by Twitter for roughly seven months.
The breach is only the latest cybersecurity debacle to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses. Last August, Twitter’s former head of security turned whistleblower on the company, Peiter “Mudge” Zatko, filed a complaint with the US government in which he claimed that the company was covering up “egregious deficiencies” in its cybersecurity defenses.
Update January 11th, 4:05PM ET: Added Twitter’s response to the incident claiming there’s no evidence linking most of the leaked IDs to data from its systems.
FAQs
How was Twitter hacked? Hackers exploited an API vulnerability to gain unauthorized access to Twitter's user data, matching email addresses with profiles. This security flaw persisted from June 2021 to January 2022, ultimately leading to the exposure of email addresses, names, and usernames for millions of users.
How did Twitter account get hacked? ›
Twitter hacks can occur when hackers acquire your personal information via data breaches or phishing, but they can also be the result of malware or brute force attacks.
When was the last time Twitter got hacked? ›
2022: “Devil” Hacker Steals 5.4M Twitter Users' Data
In July 2022, self-titled “devil” hacker posted on the hacking forum, BreachForums, that they had stolen the personal information of 5.4 million Twitter users, as reported by Firewall Times.
Has LinkedIn been breached? ›
In 2023, LinkedIn experienced a significant security incident where data from millions of its users was compromised. This breach was particularly alarming due to LinkedIn's role as a leading professional networking platform.
What was the worst data breach in history? ›
The data breach of Yahoo is one of the worst and most infamous cases of a known cyberattack and currently holds the record for the most people affected. The first attack occurred in 2013, and many more would continue over the next three years.
Did Twitter leak parts of its source code? ›
Twitter moved on Friday to have the leaked code taken down by sending a copyright infringement notice to GitHub, an online collaboration platform for software developers where the code was posted, according to the filing. GitHub complied and took down the code that day.
Should I be worried if my Twitter account was hacked? ›
A compromised Twitter account can impact your privacy.
If someone has access to your Twitter account, they have access to your information associated with that account, such as your phone number. Privacy is only becoming more important, and there can be greater consequences when personal information is accessed.
How can I get my Twitter account back? ›
If your account was hacked and you can no longer log in, fill out the form at https://help.twitter.com/en/forms/account-access/regain-access/hacked-or-compromised.
How many Twitter accounts are hacked? ›
Data alleged to contain the email addresses of more than 200 million Twitter users is being given away for free on a hacker forum, reports say. The stolen information includes email addresses used to set up accounts, which will worry anonymous users who registered with a sensitive address.
How many Twitter accounts were fake? ›
Our analysis found that 19.42%, nearly four times Twitter's Q4 2021 estimate, fit a conservative definition of fake or spam accounts (i.e. our analysis likely undercounts).
The reason it's referred to as a "zero-day" vulnerability is that the software vendor essentially has "zero time" to patch it before it is exploited once a threat actor discovers the vulnerability. Software bugs, weak passwords, or a lack of authorization and encryption can all lead to zero-day vulnerabilities.
What are Twitter 200M accounts? ›
After reports at the end of 2022 that hackers were selling data stolen from 400 million Twitter users, researchers now say that a widely circulated trove of email addresses linked to about 200 million users is likely a refined version of the larger trove with duplicate entries removed.
Who got hacked in 2024? ›
June 2024: The government of Palau accused Chinese hackers of stealing over 20,000 government documents shortly after the island nation signed a 20-year economic and security deal with the United States in March 2024. Palau's president said this was the first major attack on government records that the island has seen.
What is the biggest password leak yet? ›
Passwords Leaked: A file with around 10 billion (1,000 crores) passwords was leaked via an online hacking forum, according to a report by Semafor. The compilation, which included old and new password breaches, was posted online on July 4 and is the largest such leak yet, the report added.
What is the mother of all data breach? ›
In late January of 2024, it was announced that a massive data leak was discovered on the dark web, which included over 26 billion records and took up over 12 terabytes of data. It was almost instantly referred to as “the mother of all breaches” because of the staggering size of the data.
What is the root cause of data breaches? ›
Weak and stolen credentials
Although hacking attacks are frequently cited as the leading cause of data breaches, it's often the vulnerability of compromised or weak passwords or personal data that opportunistic hackers exploit.
What is the data issue with Twitter? ›
In the past, Twitter has experienced data spills that have led to the disclosure of user information. An outstanding incident is data theft from 400 million users between June 2021 and January 2022. This mass data leak on Twitter resulted from a malicious bug in Twitter's Application Programming Interface.
How did the exactis data breach happen? ›
The Exactis data breach occurred when a database containing 340 million records was found on a publicly accessible server, allowing anyone who knew its location to access the sensitive information. The specific methods used by hackers, if any, remain unclear, as well as the duration of the data exposure.
How did data breach happen? ›
Data breaches can be the result of a deliberate attack, an unintentional error or oversight by an employee, or flaws and vulnerabilities in an organization's infrastructure.
