Twitter data leak – over 200 million user data open to the public

Twitter users face a major security threat as threat actors publicly disclosed 63GB of data, connecting over 200 million Twitter users with their names and email addresses.

Threat actors exposed an unprecedented amount of information about Twitter users, including over 200 million unique records of usernames and email addresses. Worryingly, the database is available for anyone to download, posing severe security risks to millions of people.

According to Mantas Sasnauskas, the Head of Security Research at Cybernews, the publicly accessible dataset contains 63GB of data about Twitter users. Unlike the previous Twitter leak, announced in late December, the recently leaked dataset is entirely public, allowing anyone to download it.

Twitter leak
Leaked data sample includes celebrities such as British comedian Ricky Gervais. The total volume of the dataset exceed 63GB. Image by Cybernews.

“The number of users in the leak is huge. Moreover, user emails are connected to their Twitter handles and names. Now available to any threat actor, this information will potentially lead to social engineering attacks and doxxing,” Sasnauskas said.

You can head over to the Cybernews personal data leak checker now. Our researchers are updating the tool with the publicly revealed Twitter scrape data so you could check if your data was included in the newly leaked dataset.

Twitter leak

In late December, threat actors posted an ad on a popular hacking forum, claiming they were selling the data of over 400 million Twitter users. At the time, threat actors behind the wanted to sell the data for up to $200k.

The dataset announced in December, included Twitter handles, usernames, email addresses, and phone numbers. The same type of information is included in the publicly disclosed database. Threat actors likely used the earlier leak to create a comprehensive database, removed duplicates and ended up with a smaller but more accurate database.

Since it is estimated that Twitter has over 320 million users, the publicly disclosed database likely allows to connect Twitter handles, with user names and email addresses of majority of the social network's users.

Security experts think that consumers are getting used to their data being leaked left and right and are unlikely to be shocked by the Twitter leak. Meanwhile, data protection watchdogs will keep a keen eye on Elon Musk’s company. Ireland’s Data Protection Commission (DPC) said it “will examine Twitter’s compliance with data protection law in relation to that security issue” after last week’s leak.

Researchers have already noted that prominent figures had their Twitter accounts hacked after attackers put up an ad selling Twitter user data. It’s probably not a coincidence that the Twitter account of Piers Morgan, a British media personality, was hacked and then wiped.

Twitter leak
Ad announcing the the leak of 200m accounts. Image by Cybernes.

API problems

Threat actors likely obtained the Twitter data using abusing system flaws to harvest user information at scale, a practice known as ‘scraping.’ According to Alon Gal, Co-Founder and CTO of Hudson Rock, the Twitter data might have been obtained from an application programming interface (API) vulnerability.

“The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email/phone and retrieve a Twitter profile, “Gal said in a post on Linkedin.

The bug Gal wrote about is the same that piqued the interest of Irish regulators over Twitter losing the data of 5.4m users last July. The flaw allowed them to input phone numbers and email addresses into Twitter API and receive a Twitter user ID, eventually allowing them to create a dataset consisting of both public and private data.

The Twitter scrape marks a second major leak in two months. On November 16, a threat actor posted an ad, selling a 2022 database of 487 million WhatsApp user mobile numbers. A data sample investigated by Cybernews likely confirms this to be true. Leaked phone numbers and email addresses pose significant dangers to their owners. Threat actors could use the data to carry out phishing attacks, impersonation, and fraud.

Facebook, Linkedin, and many others previously leaked millions of users’ data. Meta, Facebook’s parent company, was fined €265m ($277m) by Ireland’s data privacy regulator for leaking data of millions of users. Twitter is already facing repercussions from European authorities for leaking data of 5.4m users in July.

More from Cybernews:

Twitter data leak - 400 million user details up for sale

Cybersecurity firm links Piers Morgan Twitter hack to massive leak of user data

Crooks monitor Twitter complaints to target users via phishing

Cricket-oriented platform ‘drops a dolly’ exposing user data

TikTok parent ByteDance cuts hundreds of jobs in China

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked