Main menu

Pages

What the Leak of 200 Million Twitter Emails Really Means

featured image

twitter logo

Rosie Struve; Getty Images

Following reports in late 2022 that hackers were selling stolen data from 400 million Twitter users, researchers now say that a widely publicized trove of email addresses linked to some 200 million users is likely a refined version of larger treasure with removed duplicate entries. The social network has not yet commented on the massive exposure, but the data cache clarifies the severity of the leak and who may be most at risk as a result of it.

From June 2021 to January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to submit contact information, such as email addresses, and receive the associated Twitter account if there are in return. Before being fixed, attackers exploited the flaw to “scrape” data from the social network. And while the bug did not allow hackers to access passwords or other sensitive information such as DMs, it exposed the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers linked to them, potentially identifying users.

While it was active, the vulnerability was apparently exploited by various actors to create different collections of data. One that has been circulating on crime forums since the summer includes the email addresses and phone numbers of some 5.4 million Twitter users. The huge newfound treasure seems to only contain email addresses. However, the wide circulation of data creates the risk of fueling phishing attacks, identity theft attempts and other individual targeting.

Twitter did not respond to WIRED’s requests for comment. The company I wrote on the API vulnerability in an August disclosure: “When we heard about it, we immediately investigated and fixed it. At that time, we had no evidence to suggest anyone had taken advantage of the vulnerability.” Apparently, Twitter’s telemetry was insufficient to detect malicious scraping.

Twitter is far from the first platform to expose data to mass extraction via an API flaw, and it’s common in these scenarios for confusion over how many distinct troves of data actually exist as a result of malicious exploitation. These incidents are still significant because they add further connections and validation to the massive body of stolen data that already exists in the criminal ecosystem about users.

“Obviously there are a number of people who were aware of this API vulnerability and a number of people who have mined it. Different people shave different things? How many treasures are there? It kind of doesn’t matter,” says Troy Hunt, founder of the breach tracking website HaveIBeenPwned. Hunt ingested the Twitter dataset at HaveIBeenPwned and says it represented information about more than 200 million accounts. Ninety-eight percent of email addresses have been exposed in previous breaches reported by HaveIBeenPwned. And Hunt says he has sent notification emails to nearly 1,064,000 of his service’s 4,400,000 million email subscribers.

“It’s the first time I’ve sent a seven-digit email,” he says. “Almost a quarter of my entire subscriber corpus is really significant. But since a lot of that was already out there, I don’t think this is going to be a long-tail incident in terms of impact. But it can deanonymize people. I am most concerned about individuals who want to maintain their privacy.”

Twitter wrote in August that it shared this concern about the potential for users’ pseudonymous accounts to be linked to their real identities as a result of the API vulnerability.

“If you operate a pseudonymous Twitter account, we understand the risks that an incident like this can present and we are deeply sorry that this has happened,” the company wrote. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

For users who hadn’t yet linked their Twitter handles to recorder email accounts at the time of scraping, though, the advice comes too late. In August, the social network said it was notifying potentially affected individuals of the situation. The company did not say whether it would make further notifications in light of the hundreds of millions of exposed records.

Ireland’s Data Protection Commission said last month it was investigating the incident that produced a hoard of 5.4 million users’ email addresses and phone numbers. Twitter is also currently under investigation by the US Federal Trade Commission over whether the company violated a “consent decree” that forced Twitter to improve its privacy measures and protect user data.

This story originally appeared on wired.com.