What the leak of 200 million emails on Twitter really means

What the leak of 200 million emails on Twitter really means

Rosie Struve; Getty Images

Following reports in late 2022 that hackers were selling data stolen from 400 million Twitter users, researchers now say that a widespread pool of email addresses associated with some 200 million users is likely an enhanced version of a larger pool with duplicate records removed. The social network has yet to comment on the massive revelation, but the cache of data sheds light on the severity of the breach and who may be most at risk as a result.

From June 2021 to January 2022, a flaw existed in Twitter’s application programming interface, or API, that allowed attackers to send contact information, such as email addresses, and in return receive an associated Twitter account, if one exists. Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn’t allow hackers to access passwords or other sensitive information like DMs, it did reveal connections between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers associated with them, potentially identifying users.

While it was live, the vulnerability was apparently exploited by several actors to create various data collections. One, which has been circulating on crime forums since the summer, contained the email addresses and phone numbers of about 5.4 million Twitter users. The massive, newly discovered hoard appears to contain only email addresses. However, the widespread circulation of data creates the risk that it will encourage phishing attacks, identity theft attempts and other individual targeting.

Twitter did not respond to WIRED’s requests for comment. Company he wrote on the API vulnerability in the August disclosure: “When we became aware of it, we immediately investigated and fixed it. At the time, we had no evidence to suggest that anyone had exploited the vulnerabilities.” Twitter’s telemetry apparently wasn’t enough to detect the malicious scraping.

Twitter is far from the first platform to expose data to mass scraping via an API flaw, and it’s common in such scenarios for confusion about how many different data pools actually exist as a result of malicious abuse. However, these incidents are still significant because they add another connection and verification to the vast amount of stolen data that already exists in the criminal ecosystem about users.

“Obviously there are a lot of people who were aware of this API vulnerability and a lot of people who scraped it. Did different people scratch different things? How many troves are there? It doesn’t matter a bit,” says Troy Hunt, founder of the breach tracking site HaveIBeenPwned. Hunt fed the Twitter dataset into HaveIBeenPwned and says it represented information on more than 200 million accounts. Ninety-eight percent of email addresses have already been exposed in past breaches recorded by HaveIBeenPwned. And Hunt says it has sent warning emails to nearly 1,064,000 of its service’s 4.4 million email subscribers.

“This is the first time I’ve sent a seven-figure email,” he says. “Almost a quarter of my entire subscriber base is really significant. But since so much has already been out there, I don’t think it’s going to be an incident that has a long run in terms of impact. But it can de-anonymize people. The thing I’m more worried about is the individuals who wanted to keep their privacy.”

Twitter wrote in August that it shared this concern about the possibility of connecting pseudonymous user accounts with their real identities as a result of an API vulnerability.

“If you operate a pseudonymous Twitter account, we understand the risks that such an incident can bring, and we deeply regret that this has occurred,” the company wrote. “To keep your identity as hidden as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

However, this advice comes too late for users who haven’t yet linked their Twitter handles to their burner email accounts at the time of scraping. In August, the social network said it was informing potentially affected people about the situation. The company did not say whether it would make further announcements in light of the hundreds of millions of records exposed.

The Irish Data Protection Commission said last month it was investigating the incident, which compromised the email addresses and phone numbers of 5.4 million users. Twitter is also currently under investigation by the US Federal Trade Commission over whether the company violated a “consent decree” that required Twitter to improve user privacy and data protection measures.

This story originally appeared on wired.com.

#leak #million #emails #Twitter #means

Leave a Comment

Your email address will not be published. Required fields are marked *