Hackers publish email addresses linked to 200 million Twitter accounts, according to security researchers

() — Email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums, security experts say.

The apparent data leak could expose the real identities of anonymous Twitter users and make it easier for criminals to hijack accounts, experts warned, or even victims’ accounts on other websites.

The trove of leaked logs also includes Twitter user names, account names, number of followers and account creation dates, according to forum listings reviewed by security researchers and shared with .

Rafi Mendelsohn, a spokesman for Cyabra, a social media analytics company that focuses on identifying misinformation and inauthentic behavior on the Internet, says: “The bad actors hit the jackpot.” “Previously private data, such as email addresses, usernames, and date created, can be leveraged to build smarter and more sophisticated hacking, phishing, and disinformation campaigns.”

Some reports suggested that the data was collected in 2021 through a bug in Twitter’s systems, a flaw that the company corrected in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted the company to the vulnerability.

Troy Hunt, a security researcher, said this Thursday that its analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post newspaper reported previously that a forum promoted the data of 235 million accounts.

Hunt did not immediately respond to a question from about whether the records would be added to his website. haveibeenpwned.com, which allows users to search for hacked records to determine if they were affected. has not independently verified the authenticity of the records.

Twitter did not immediately respond to a request for comment. His communications team, along with about half of Twitter’s total staff, was laid off after billionaire Elon Musk completed his acquisition of the company in late October. Major staff reductions could now add to concerns about the company’s ability to respond to security threats.

The breadth of data leaked could allow malicious actors or repressive governments to connect anonymous Twitter accounts to the real names or email addresses of their owners, potentially exposing dissidents, journalists, activists or other users at risk across the globe. world, security researchers warn.

“For those people, this is a very important vulnerability,” says John Scott-Railton, a security researcher at the Citizen Lab at the University of Toronto.

Account data could also be valuable to hackers, who could use it to try to reset passwords and hijack accounts. According to the researchers, the risk is especially high for people who use the same account credentials on Twitter as on other digital services, such as banks or cloud storage, because hackers could use the information obtained from the leak to open Twitter accounts. user on other sites.

Verified Twitter users affected by the apparent leak, or users with particularly high follower counts, will be especially valuable targets as a result of the leak, security experts warned, as the holders of those accounts may be particularly influential celebrities. or susceptible to extortion.

To protect against phishing attempts, users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. They should also turn on multi-factor authentication for each of their accounts and be careful when opening unsolicited emails or links.

According to the cybersecurity medium Bleeping Computer, which claimed to have analyzed the data, the recent leak appears similar to one announced on hacker forums in November, which contained 400 million records, though it has been whittled down to remove some duplicates. Twitter has not commented on that leak.

Reports of the leak could add to Twitter’s already significant legal and regulatory risk.

In December, the main European regulator for Twitter’s privacy, the Irish Data Protection Commission, said it is investigating the July 2022 leak as a possible violation of the most important privacy law in Europe, known as GDPR.

Last summer, the company’s former head of security Peiter “Mudge” Zatko submitted a report to the US government exposing long-ignored security vulnerabilities in Twitter’s operations. Zatko claimed that Twitter’s security deficiencies reflected a breach of the company’s binding commitments to the Federal Trade Commission (FTC), which constituted a felony. (Twitter widely and repeatedly rebutted Zatko’s allegations.)

Successive incidents on Twitter have led the company to sign two consent orders with the FTC since 2011 to improve its cybersecurity posture. Failure to comply with the FTC’s orders can result in fines, business restrictions, and even penalties against individual executives.

In November, senior Twitter officials responsible for privacy and security resigned from the company, just days after Musk closed the acquisition of the platform and amid mass layoffs that in some cases impacted entire departments.