Features

Hackers post emails connected to 200 million Twitter accounts, security researchers claims

Security professionals claim that emails connected to far more than 200 million Twitter profiles are actively being traded on darknet hacker forums. According to the experts, the alleged data leak might reveal the real names of anonymous Twitter users and make it easier for thieves to take over victims’ accounts on other websites or even Twitter accounts.

According to forum listings examined by security researchers, the data breach also exposed Twitter users’ identities, account handles follower totals and the dates on which their accounts were set up.

Rafi Mendelsohn, a spokeswoman for Cyabra, a social media research company that specializes in spotting false material and untruthful online activity, declared that “bad actors won the jackpot.” “Private information that was once private, such emails, handles, and creation dates, can be used to create hacking, phishing, and disinformation campaigns that are smarter and more complex.”

According to some sources, the information was obtained in 2021 via a system bug at Twitter, which the firm corrected in 2022 as a result of a related incident in July involving 5.4 million Twitter accounts. Security researcher Troy Hunt reported on Thursday that he had “discovered 211,524,284 unique email addresses” in the data that had been released. The Washington Post previously reported on a forum listing that advertised 235 million accounts’ data.

When asked if the records would be posted to his website, haveibeenpwned.com, which enables people to search hacked records to see if they have been affected, Hunt did not react right away. An inquiry for comment was not immediately answered by Twitter. After billionaire Elon Musk completed his acquisition of the firm in late October, Twitter’s communication department was eliminated, along with almost half of its entire personnel. The company’s capacity to respond to security threats may now be even more of a problem in light of the huge workforce layoffs.

Security researchers warn that the scope of the exposed information could enable criminals or oppressive governments to link anonymous Twitter handles to the real names or email addresses of their owners, potentially revealing dissidents, journalists, activists, or other vulnerable users all over the world.

According to John Scott-Railton, a security researcher at The University of Toronto’s Citizen Lab, “For those folks, this is a consequential compromise.”

Hackers may find the account information important and use it to attempt password resets and take over accounts. Researchers noted that since hackers may utilize information gathered from the Twitter account to access other digital services like banking or cloud storage, the risk is especially great for people who do so.

Security experts warned that individuals who are verified on Twitter and who appear to have been affected by the breach, or those with very significant followings, will be highly valuable targets as a result of the leak because the owners of those accounts may be particularly powerful celebrities or vulnerable to extortion.

Internet users should create different passwords for every online service they use and maintain them with a digital password manager, according to security researchers, to protect themselves against phishing attacks. Additionally, they should turn on multi-factor authentication for each of their accounts and use caution when clicking on links or emails that they did not ask for. The current dump resembles a leaked dataset posted on hacking forums in November that contained a claimed 400 million entries, although it has been trimmed down to remove some duplicate records, according to cybersecurity news outlet BleepingComputer, which did claim to examine the data. On that leak, Twitter has not made any comments.

The already high legal and regulatory risk facing Twitter could grow as a result of the leak reports. The Irish Data Protection Commission, Twitter’s primary European privacy watchdog, announced in December that it is looking into the July 2022 leak as a potential GDPR infringement.

Peiter “Mudge” Zatko, the company’s former head of security, reported to the US government as a whistleblower this summer citing long-ignored security flaws in Twitter’s operations. According to Zatko, Twitter’s security flaws were a significant violation of its legally-binding agreements with the Federal Trade Commission. (Twitter vigorously and repeatedly refuted Zatko’s claims.)

Since 2011, Twitter has signed two consent agreements with the FTC to strengthen its cybersecurity posture as a result of a series of events. FTC orders can be broken, which can result in penalties, company limitations, and even executive-targeting consequences.

Just days after Musk completed the purchase of the platform and in the midst of the widespread layoffs, key Twitter executives in charge of privacy and security announced their resignations from the firm in November.