200 million Twitter users' email addresses allegedly leaked online.
A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. BleepingComputer has confirmed the validity of many of the email addresses listed in the leak.
Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces.
These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID.
The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.
Though Twitter fixed this flaw in January 2022, multiple threat actors have recently begun to leak the data sets they collected over a year ago for free.
The first data set of 5.4 million users was put up for sale in July for $30,000 and ultimately released for free on November 27th, 2022. Another data set allegedly containing the data for 17 million users was also circulating privately in November.
More recently, a threat actor began selling a data set that they claimed contained 400 million Twitter profiles collected using this vulnerability.
200 million lines of Twitter profiles released for free.
Today, a threat actor released a data set consisting of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum's currency, worth approximately $2.
This data set is allegedly the same as the 400 million set circulating in November but cleaned up to not contain duplicates, reducing the total to around 221,608,279 lines. However, BleepingComputer's tests have also confirmed duplicates in this latest leaked data.
The initial sale of Facebook data in June 2022 Source: BleepingComputer.
The data was released as a RAR archive consisting of six text files for a combined size of 59 GB of data.
RAR archive containing leaked Twitter data Source: BleepingComputer.
Each line in the files represents a Twitter user and their data, which includes email addresses, names, screen names, follow counts, and account creation dates, as shown below.
Sample of leaked Twitter data Source: BleepingComputer.
Unlike previously leaked data collected using this Twitter API flaw, today's leak does not indicate whether an account is verified.
While BleepingComputer has been able to confirm that the email addresses are correct for many of the listed Twitter profiles, the full data set has obviously not been confirmed.
Furthermore, the data set is far from complete, as there were many users who were not found in the leak.
Whether or not your information is in this data set highly depends on whether your email address was exposed in previous data breaches.
In 2021, the threat actors created massive lists of email addresses and phone numbers that were exposed in previous data breaches.
The scrapers then fed these lists into the API bug to see if your number or email address was associated with a corresponding Twitter ID with the email or phone number.
If your email address is only used at Twitter or was not in many data breaches, it would not have been fed into the API bug and added to this data set.
BleepingComputer has contacted Twitter regarding this leaked data but has not received a response to this or our previous emails.
Is your email in the leak?
Data breach notification service Have I Been Pwned (HIBP) has added the Twitter data leak to its system and has begun notifying subscribers if their email was found in the data set.
Troy Hunt, the creator of HIBP, told BleepingComputer that there is a total of 211,524,284 unique email addresses in the leak, down from the original number of 221,608,279 lines.
To check if your email is part of the Twitter leak, you can visit Have I Been Pwned and search with your email. If your email is part of the leak, HIBP will notify you with the list of detected data breaches, including the Twitter one, shown below.
Have I Been Pwned result for the 200 million user Twitter leak Source: BleepingComputer.
What should you do if your listed?
Even though this data leak only contains email addresses, it could be used by threat actors to conduct phishing attacks against accounts, especially verified ones.
Verified accounts with large followers are highly valued as they are often used to steal cryptocurrency through online scams.
This leak is also a significant privacy concern, especially for Twitter users who tweet anonymously. With this leak, it may be possible to identify anonymous Twitter users and expose their real identities.
All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.
Unfortunately, if you are concerned about your identity being revealed by a leaked email address, there is not much you can do.
Update 1/5/23: Twitter users can now search on Have I Been Pwned to see if they are in the leak.