Rosie Struve Getty Images
After reports at the end of 2022 that hackers were selling stolen data from 400 million Twitter users, researchers now say that a widely circulated trove of email addresses associated with about 200 million users is likely to be a redacted version of the larger collection with the removal of Duplicate entries. The social network has yet to comment on the massive exposure, but the cache of data shows how serious the leak was and who might be most at risk as a result.
From June 2021 through January 2022, there was a bug in the Twitter Application Programming Interface, or API, that allowed attackers to send contact information such as email addresses and receive the associated Twitter account, if any, in return. Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn’t allow hackers to access passwords or other sensitive information like DMs, it did expose communication between Twitter accounts, which are often pseudonyms, and their associated email addresses and phone numbers, which could lead to user identification.
While it exists, the vulnerability was apparently exploited by multiple actors to build different sets of data. One that had been circulating in criminal forums since the summer included email addresses and phone numbers About 5.4 million Twitter users. The newly appeared mega group seems to contain only email addresses. However, the large scale circulation of data creates a risk that it will fuel phishing attacks, identity theft attempts, and other individual targeting.
Twitter did not respond to WIRED’s requests for comment. company books About the API vulnerability in the August disclosure: “When we became aware of this, we immediately investigated and fixed it. At the time, we had no evidence to suggest that someone had exploited the vulnerability.” Apparently, Twitter telemetry wasn’t enough to detect malicious scraping.
Twitter isn’t the first platform to expose data to mass scraping through an API flaw, and it’s common in such scenarios to have Confusion about how many distinct datasets actually exist result of malicious exploitation. However, these incidents are still significant, as they add further connections and validation to the massive body of stolen data already present in the criminal ecosystem about users.
“Obviously there are many people who were aware of this API vulnerability and many people who took it down. Did different people scrape different things? How many burials are there? Never mind. Hunt digested HaveIBeenPwned’s Twitter dataset and said it represented information on more than 200 million accounts. Ninety-eight percent of email addresses had already been exposed in previous breaches recorded by HaveIBeenPwned. Hunt says it sent email notifications to nearly 1,064,000 Of the 4,400,000 million email subscribers to his service.
“It’s the first time I’ve ever sent a seven-digit email,” he says. “Almost a quarter of my total total subscriber count is really important. But since a lot of this was already out there, I don’t think this would be an incident with a long tail in terms of impact. They wanted to keep their privacy.”
Twitter wrote in August that it shared this concern about the possibility of pseudonymous user accounts being linked to their real identities as a result of the API vulnerability.
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can pose and we deeply regret that this happened,” the company wrote. To keep your identity as anonymous as possible, we recommend that you do not add a phone number or a publicly known email address to your Twitter account.
For users who haven’t already linked their Twitter handles to burner email accounts at the time of scraping, though, the advice comes too late. In August, the social network said it had informed potentially affected individuals of the situation. The company did not say whether it would provide further notice in light of the hundreds of millions of exposed records.
Data Protection Commission of Ireland He said Last month it was investigating an incident that exposed 5.4 million email addresses and phone numbers to users. Twitter is currently under investigation by the US Federal Trade Commission as to whether the company violated a “consent decree” that required Twitter to improve user data and user privacy protections.
This story originally appeared wired.com.
“Infuriatingly humble alcohol fanatic. Unapologetic beer practitioner. Analyst.”