Leaked Emails of 200M Twitter Users Now Available for Free63GB Database of Names, Email Addresses Posted to Hacker Forum for All to Download
A member of a criminal data breach forum that tried to sell the email addresses of 400 million Twitter users to CEO Elon Musk last month has now posted the stolen data for free.
The post on the hacker forum website claims to include contact information for 200 million Twitter users - a shortened version of the list offered for sale on Dec. 23 after duplicate names were removed, according to researchers at Privacy Affairs.
The stolen 63GB of data includes account names, handles, creation dates, follower counts and email addresses. Telephone numbers were not disclosed in this leak, according to Privacy Affairs. Information Security Media Group was unable to immediately reach Twitter for comment on Wednesday.
The December posting claimed to include private email addresses for three dozen well-known personalities, including New York Democratic Rep. Alexandria Ocasio-Cortez, Ethereum cryptocurrency founder Vitalik Buterin and cybersecurity reporter Brian Krebs. It also included a link to a spreadsheet containing 1,000 records, a handful of which belong to public institutions and whose listed email addresses appear legitimate.
The poster, who uses a male avatar and goes by the handle "Ryushi," publicly urged Twitter CEO Elon Musk to buy the data in December to avoid huge fines for privacy violations of the EU's General Data Protection Regulation. Musk did not respond.
Ryushi said last month the records were exposed for scraping "via a vulnerability." Researchers believe the attacker amassed the data by exploiting an API vulnerability tied to the "let others find you by your phone" feature. Twitter confirmed the breach in August, saying it had learned about the flaw in January via its bug bounty program and immediately fixed it (see: Twitter Confirms Zero-Day Bug That Exposed 5.4M Accounts).
Experts warn that the leak of 200 million email addresses this week could result in much greater fallout for users than the previous leaks.
"This new one could be considered more severe, as now many more bad actors can obtain this data," cautions Miklos Zoltan, founder and CEO of Privacy Affairs. Zoltan advises users to watch out for phishing emails and change passwords for other websites and accounts that use the same password as their Twitter account.
Just months ago, Twitter entered into a consent order with the U.S. Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades. The agreement ended a federal investigation into Twitter's use of phone numbers and email addresses for advertising purposes when it was collected to be used for multifactor authentication. Twitter also paid a $150 million civil penalty. Bloomberg reports the agency is intensifying a probe into whether Twitter is complying with the order, especially given the exodus of senior legal, privacy and compliance executives (see: Twitter Ramps Up Regulatory Exposure After Loss of CISO).
The Irish Data Protection Commission in December announced an investigation into an August incident in which the contact records of 5.4 million Twitter users were dumped on the same forum favored by Ryushi (see: Cybercrime Forum Dumps Stolen Details on 5.4M Twitter Users).
Twitter, according to the Irish data protection authority, apparently violated provisions of the GDPR, Europe's privacy regulation, which are often tied to hefty fines. The Irish agency in November invoked the GDPR to fine Facebook 265 million euros after a data set containing details of more than half a billion social media users appeared online last year (see: Meta Fined by Irish Privacy Regulator for GDPR Violations).