Twitter Data Breach: What Exposing 200 Million User Emails Means to You

After reports in While hackers were selling data stolen from 400 million Twitter users in late 2022, researchers now say the widespread array of email addresses associated with about 200 million users is likely an upgraded version of a larger array with duplicate records removed. The social network has not yet commented on the mass exposure, but the data cache makes it clear the severity of the leak and who could be most at risk from it.

From June 2021 to January 2022, a bug existed in a Twitter application programming interface or API that allowed attackers to submit contact information, such as email addresses, and receive an associated Twitter account in return, if one exists. Before it was fixed, attackers used the vulnerability to scrape data from the social network. And while the bug prevented hackers from gaining access to passwords or other sensitive information such as DMs, it revealed a link between Twitter accounts, which are often pseudonyms, and their associated email addresses and phone numbers, potentially identifying users.

While it was running, the vulnerability appears to have been exploited by multiple actors to create various collections of data. One, which has been circulating on crime forums since the summer, included the email addresses and phone numbers of some 5.4 million Twitter users. The huge recently discovered hoard appears to contain only email addresses. However, the widespread dissemination of data creates the risk that it will facilitate phishing attacks, identity theft attempts, and other individual activities.

Twitter did not respond to WIRED’s requests for comment. Company wrote about the API vulnerability in the August disclosure: “When we became aware of this, we immediately investigated and fixed it. At the time, we had no evidence that anyone had exploited the vulnerability.” Apparently, Twitter telemetry was not enough to detect malicious parsing.

Twitter is far from the first platform to mass-cleanse data through an API vulnerability, and in such scenarios there is often confusion about how many different data sources actually exist as a result of malicious use. However, these incidents are still important because they add more links and evidence to the vast array of stolen data that already exists about users in the criminal ecosystem.

“Obviously there are a few people who knew about this API vulnerability and a few people who cleaned it up. Did different people clean different things? How many trophies are there? It kind of doesn’t matter,” says Troy Hunt, founder of the hack-tracking site HaveIBeenPwned. Hunt uploaded the Twitter dataset to HaveIBeenPwned and says it provides information on more than 200 million accounts. 98% of email addresses have already been exposed in past hacks reported by HaveIBeenPwned. And Hunt says he has sent email notifications to almost 1,064,000 of his service’s 4,400,000 million email subscribers.

“This is the first time I’ve sent a seven-digit email,” he says. “Nearly a quarter of my entire body of subscribers is really significant. But since a lot of this was already known, I don’t think it will be an incident that will have a long tail in terms of impact. But it can deanonymize people. I’m more concerned about those people who wanted to keep their privacy.”