Hackers have leaked the email addresses of more than 200 Twitter users on an online underground hacker forum, as reported by a security researcher on Wednesday.
The data leak that has been termed as one of the most significant instances of user privacy breach in history could reveal the actual identities of anonymous Twitter users and enable criminals to actualize their plans.
Quick Facts
- The incident happened weeks ago when a dataset containing the private information of more than 400 million Twitter users was up for sale on hacker forums
- The dataset was uploaded on December 23, 2022, by a hacker with the alias “Ryushi”
- Screenshots of the Hacker Breach forum are now circulating online
According to the co-founder of Israeli firm Hudson RockAlon Gal, the leak will have negative consequences. It could initiate “hacking, targeted phishing and doxxing.”
How did Twitter Get Hacked?
The identity or location of the hacker is not known and there are no clues available as of now. The breach could have happened as early as 2021 before Elon Musk took over the company for $44 billion.
The hacker entered through a bug in Twitter’s systems that was subsequently fixed in 2022 after another major data breach involving 5.4 million Twitter accounts raised questions about Twitter’s security system in July.
They also used a “data scraping technique” that allowed him access to 400 million email addresses and phone numbers. However, duplicates were omitted to reveal more than 200 million compromised accounts. Privacy Affairs analysts, however, confirmed that phone numbers were not disclosed.
Moreover, the Data breach notification service Have I Been Pwned (HIBP) has featured the data leak and is notifying users if their email was used in the data set. Creator Troy Hunt revealed that there were 211,524,284 unique email addresses found in the leak.
In addition, the records contain Twitter users’ names, follower numbers, account handles, and the dates of creating these accounts, as revealed by forum listings shared with CNN. The hackers collect sample data from 37 celebrities, journalists, corporations, politicians, and government agencies.
The likes of Doja Cat, the World Health Organization (WHO), Alexandria Ocasio-Cortez, Piers Morgan, Donald Trump, and Shawn Mendes are a few names listed.
The earliest data breach reports were released in December 2022, and the forum listed the information for sale at $200,000, Privacy Affairs reported. Otherwise, multiple copies can be bought for $60,000 per sale. The database was 63 GB, and the leaked data could enable hackers to access Twitter users’ accounts.
The hacker then alerted the media platform of incurring a substantial GDPR fine for its loose security system. “Your best option to avoid paying $276 million USD in GDPR breach fines as Facebook did…is to buy this data exclusively,” Ryushi posted.
What’s Next for Twitter? How can Users Protect their Data?
Twitter has refused to comment on the breach so far, but it is nothing the microblogging site has not experienced before. Similar incidents at Twitter prompted it to sign two consent orders with the Federal Trade Commission in 2011 to strengthen its cybersecurity system.
Its former head of security, Peiter “Mudge” Zatko had notified the US government of the platform’s security issues last summer. He claimed that the company was violating its agreement with the FTC.
Currently, Twitter has proved to be an untrustworthy space for users. The leaked data would allow political propagandists and other malicious organizations to reveal the identities of anonymous Twitter handles that put the owners at risk.
They could be anyone from journalists to activists who are at risk worldwide. Hackers can use the information to initiate password-reset attempts and users who share the same account credentials across multiple platforms are at major risk of being taken over.
Verified Twitter users who got mixed into the leak, particularly those with large followings, will be vulnerable targets due to the breach. Even Twitter has seemingly turned away from the disastrous security violation that has now exploded into controversy. It is not known whether Twitter has taken action to alleviate the problem.
In such circumstances, internet users are advised to use unique passwords for every online service and back it up with a digital password manager. Using multi-factor authentication for different accounts and approaching unsolicited emails or links with caution are the only solutions as of now.