A database posted online claims to reveal more than 200 million associated Twitter usernames and email addresses. Now, several days after the initial reports, Twitter says the “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
According to reports from security researchers and media outlets including BleepingComputer, the credentials in the leak were compiled from a number of earlier Twitter breaches dating back to 2021. According to Twitter, however, there is “no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
Its statement addresses the information in the datasets only by saying, “The data is likely a collection of data already publicly available online through different sources.”
The Verge contacted Twitter for additional clarity about the accuracy of the records in the leaks, but Twitter does not have a functioning press office since being acquired by Elon Musk.
Twitter:
5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.
Both datasets were the same, though the second one had the duplicated entries removed.
None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.” The datasets don’t contain passwords, as experts and Twitter have pointed out, but email addresses can still be especially useful for hackers targeting specific accounts.
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups —entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July of that year.
The company also said on Wednesday that its investigations showed that around 5.4 million user accounts had been exposed in November. That appears to be the only dataset it’s attributing to the years-old vulnerability, which went unnoticed by Twitter for roughly seven months.
The breach is only the latest cybersecurity debacle to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses. Last August, Twitter’s former head of security turned whistleblower on the company, Peiter “Mudge” Zatko, filed a complaint with the US government in which he claimed that the company was covering up “egregious deficiencies” in its cybersecurity defenses.
Update January 11th, 4:05PM ET: Added Twitter’s response to the incident claiming there’s no evidence linking most of the leaked IDs to data from its systems.
FAQs
How was Twitter hacked? The data was acquired in 2021 through the misuse of an API that allowed for matching email addresses with Twitter profiles.
How did Twitter account get hacked? ›
If your Twitter account's been hacked, it could be because your data was compromised in a data breach, you were caught up in a widespread phishing campaign that resulted in a stolen password, or spyware made its way onto your device.
What is leaked on Twitter? ›
The leaked data includes email addresses, names, and Twitter account details, leaving users vulnerable to phishing attacks, identity theft, and social engineering schemes.
How many accounts were hacked on Twitter? ›
Hunt ingested the Twitter data set into HaveIBeenPwned and says that it represented information about more than 200 million accounts. Ninety-eight percent of the email addresses had already been exposed in past breaches recorded by HaveIBeenPwned.
When was 23andMe hacked? ›
Attack. In October 2023, a hacker known as Golem claimed to have hijacked the profile information of millions of users from 23andMe. The attack, acknowledged by the company, was a result of hacking techniques including 'credential stuffing' to gain unauthorised access to the profile information of millions of users.
How did the alleged Twitter hackers get caught? ›
Bitcoin payments and IP addresses led investigators to two of the alleged perpetrators in just over two weeks. On July 15, a Discord user with the handle Kirk#5270 made an enticing proposition. “I work for Twitter,” they said, according to court documents released Friday.
Should I be worried if my Twitter account was hacked? ›
If someone has access to your Twitter account, they have access to your information associated with that account, such as your phone number. Privacy is only becoming more important, and there can be greater consequences when personal information is accessed.
How did my accounts get hacked? ›
It's possible that a cybercriminal was able to hack your online account by installing malware on your computer. Malware is malicious software that can do different things based on the type of malware it is.
When was Twitter last hacked? ›
The most recent Twitter data breach happened in January 2023, when a database concerning over 200 million Twitter users was published on a notable hacker forum. As of October 2023, there have been no reported Twitter breaches since this incident.
Does Twitter track you? ›
Twitter tracks your searches on your mobile device, and it stores your location information.
- 1. Yahoo. Year: 2013-2016. Number of records affected: Over 3 billion user accounts. ...
- Equifax. Year: 2017. ...
- 3. Facebook. Year: 2019. ...
- First American Financial Corporation. Year: 2019. ...
- Aadhaar. Year: 2018. ...
- MySpace. Year: 2013. ...
- LinkedIn. Year: 2021. ...
- Friend Finder Networks. Year: 2016.
So it's unavoidable that mature and sensitive content will make its way to the platform. By default Twitter/𝕏 hides sensitive content but you can change this setting if you want.
What is the mother of all cyber attacks? ›
What are the 26 billion records breached? The 2024 massive breach, known as the Mother of All Breaches (MOAB), encompasses many data types, including usernames, passwords, and sensitive personal information.
What accounts get hacked the most? ›
In 2023, 25% of Facebook accounts were hijacked, while the hacking percentage of Instagram accounts reached 85%. Facebook accounts are the most compromised account types in the United States, reaching around 67,941 every month.
What is the largest password leak? ›
RockYou2024 isn't just a leak; it's a behemoth collection of 9,948,575,739 passwords that could potentially affect millions of users worldwide.
How did the real estate wealth network breach happen? ›
In early 2023, REWN discovered unauthorized access to its customer database. The breach was attributed to a phishing attack that targeted an employee, allowing the attackers to gain access to login credentials.
What has Twitter been accused of? ›
The owners of Twitter have been accused of trying to "bully" anti-hate campaigners into silence with letters threatening legal action. The Center for Countering Digital Hate (CCDH) said X Corp accused it of making "troubling and baseless claims" in its reports about the platform.
Why did Twitter remove the egg? ›
Twitter acknowledged that one of the reasons it killed the egg was to counter its association with "negative behavior." "We've noticed patterns of behavior with accounts that are created only to harass others – often they don't take the time to personalize their accounts," the company said.
Why is the FTC investigating Twitter? ›
The FTC's investigation stemmed from allegations that Musk, newly minted as Twitter's owner, ordered staff to give outside writers “full access to everything” in late 2022.
