A database posted online claims to reveal more than 200 million associated Twitter usernames and email addresses. Now, several days after the initial reports, Twitter says the “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
According to reports from security researchers and media outlets including BleepingComputer, the credentials in the leak were compiled from a number of earlier Twitter breaches dating back to 2021. According to Twitter, however, there is “no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
Its statement addresses the information in the datasets only by saying, “The data is likely a collection of data already publicly available online through different sources.”
The Verge contacted Twitter for additional clarity about the accuracy of the records in the leaks, but Twitter does not have a functioning press office since being acquired by Elon Musk.
Twitter:
5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.
Both datasets were the same, though the second one had the duplicated entries removed.
None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.” The datasets don’t contain passwords, as experts and Twitter have pointed out, but email addresses can still be especially useful for hackers targeting specific accounts.
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups —entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July of that year.
The company also said on Wednesday that its investigations showed that around 5.4 million user accounts had been exposed in November. That appears to be the only dataset it’s attributing to the years-old vulnerability, which went unnoticed by Twitter for roughly seven months.
The breach is only the latest cybersecurity debacle to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses. Last August, Twitter’s former head of security turned whistleblower on the company, Peiter “Mudge” Zatko, filed a complaint with the US government in which he claimed that the company was covering up “egregious deficiencies” in its cybersecurity defenses.
Update January 11th, 4:05PM ET: Added Twitter’s response to the incident claiming there’s no evidence linking most of the leaked IDs to data from its systems.
FAQs
How was Twitter hacked? Hackers exploited an API vulnerability to gain unauthorized access to Twitter's user data, matching email addresses with profiles. This security flaw persisted from June 2021 to January 2022, ultimately leading to the exposure of email addresses, names, and usernames for millions of users.
How did Twitter account get hacked? ›
Twitter hacks can occur when hackers acquire your personal information via data breaches or phishing, but they can also be the result of malware or brute force attacks.
Has Twitter been hacked before? ›
Twitter's Similar attacks in the past
Many people fell for this scam, and it was enough to incentivize further scam attempts. Only last year, Twitter CEO Jack Dorsey's personal account was hacked. The company responded saying that it had fixed the flaw that had left his account vulnerable.
Does Twitter sell user data? ›
The Intercept reports that despite railing against state spying, the social media company has been quietly profiting off it this entire time — selling a "firehose" of user data for the explicit purpose of being used by law enforcement.
What is the 26 billion personal record? ›
Did you know that a recent data breach has exposed an astonishing 26 billion records? This supermassive leak of personal information has sent shockwaves through the cybersecurity world, highlighting the urgent need for robust data protection measures and heightened awareness of cyber threats.
What is the massive data breach in 2024? ›
Ticketmaster had an alleged 560 million records stolen in the Snowflake hack. A series of data thefts from cloud data giant Snowflake quickly snowballed into one of the biggest breaches of the year, thanks to the vast amounts of data stolen from its corporate customers.
Can you get your Twitter account back after being hacked? ›
For the Twitter account recovery system, click on Forgot Password on the login page >> enter your email, phone number, or username and click Search >> select the account recovery method >> provide the required details and follow the instructions >> after verifying your account click Reset Password to complete the ...
Can someone steal your Twitter account? ›
Phishing is a common method used by hackers to steal Twitter account credentials. They often send fraudulent emails or direct messages that appear to be from Twitter, asking users to provide their login credentials on a fake website.
What are the cyber attacks in 2024? ›
Records Breached: 57,000
In February 2024, Bank of America reported a ransomware attack targeting Mccamish Systems, one of the bank's service providers, affecting more than 55,000 customers.
What is the mother of all breaches? ›
In January 2024, a data leak of 26 billion records was discovered by security researcher Bob Diachenko of Security Discovery. This data breach has quickly come to be known as The Mother Of All Breaches (aka MOAB) due to its size and contains 12 terabytes of user data from 3,876 domains.
The company was not hacked itself - but rather criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.
Can Twitter see your data? ›
When you use Twitter, even if you're just looking at Tweets, we receive some personal information from you like the type of device you're using and your IP address. You can choose to share additional information with us like your email address, phone number, address book contacts, and a public profile.
Can Twitter see my DMs? ›
That means Twitter has access to the contents of your DMs, which many users likely consider to be the most sensitive or intimate data the company has on them.
Is it illegal to scrape Twitter data? ›
Remember, while scraping Twitter data can provide valuable insights, it's essential to respect privacy, minimize impact on Twitter's servers, and adhere to legal and ethical guidelines. Scraping is completely legal if the data gathered is considered openly available.
What is the root cause of data breaches? ›
Weak and stolen credentials
Although hacking attacks are frequently cited as the leading cause of data breaches, it's often the vulnerability of compromised or weak passwords or personal data that opportunistic hackers exploit.
How did the exactis data breach happen? ›
The Exactis data breach occurred when a database containing 340 million records was found on a publicly accessible server, allowing anyone who knew its location to access the sensitive information. The specific methods used by hackers, if any, remain unclear, as well as the duration of the data exposure.
How did data breach happen? ›
Data breaches are caused by: Innocent mistakes, such as an employee emailing confidential information to the wrong person. Malicious insiders, including angry or laid-off employees who want to hurt the company and greedy employees who want to profit off the company's data.
What was the worst data breach in history? ›
The data breach of Yahoo is one of the worst and most infamous cases of a known cyberattack and currently holds the record for the most people affected. The first attack occurred in 2013, and many more would continue over the next three years.
