Twitter Security Headaches Mount With User Data Leak Claim

Database posted on hacking forum is alleged to contain email addresses and handles for more than 230 million Twitter users.

(Bloomberg) — An anonymous user on a hacker forum has published a massive database that they claim contains basic information on more than 230 million Twitter users, such as email addresses and screen names.

The database, which was posted on Wednesday, contains the names and email addresses of politicians, journalists and bankers, among others. The data was siphoned out because of a flaw in Twitter’s software, experts say, which has since been fixed.

As of July, Twitter had 237.8 million daily active users, according to company data. 

Experts believe the database dates to 2021 or so, before Elon Musk took ownership of the company. Still, it may represent a risk for some users, in addition to representing yet another another security headache for Twitter.

In September, former Twitter security chief Peiter “Mudge” Zatko described to lawmakers and regulators a platform suffering from outdated software and a reactive security policy that had engineers running “from fire to fire.” In 2020, a Florida teenager was accused of orchestrating a breach of high-profile Twitter accounts, including those of Joe Biden, Elon Musk and Kanye West.

The publication of the leaked data this week comes amid ongoing investigations of Twitter in the US and Europe, which could result in fines. Ireland’s Data Protection Commission said it’s probing a breach of 5.4 million Twitter users’ data. Separately, the US Federal Trade Commission has been examining if the company is complying with its 2011 consent order.

Here’s what this means for Twitter users:

What data was stolen?

A database with what appears to be more than 230 million users’ email addresses, screen names and full names was posted on the website BreachForums. A Bloomberg News review of the data shows it also contains the number of each account’s followers and when the account was created.

Twitter said in August that it learned of the leak in January 2022 through its bug-bounty program, which provides rewards for programmers who spot software flaws.

How did it happen?

Experts say malicious actors discovered in 2021 that one of Twitter’s services for programmers, known as application programming interface, or API, was flawed. That allowed them to extract certain details about user accounts if the API was given an email address, said Jamie Boote, associate software security consultant at Synopsys Inc. That list grew to the hundreds of millions of users’ data posted this week. 

Bloomberg contacted Twitter for comment, but communications staff was cut in Musk’s layoffs.  

Should I be worried?

The data that was leaked doesn’t contain sensitive details like credit card information, Social Security numbers or home addresses, and so far, it appears that bad actors haven’t exploited it to cause harm. But experts say that the ability to match Twitter user names to emails could prove worrisome for high-profile individuals.

Alon Gal, the co-founder of Israeli cybersecurity consultancy Hudson Rock, said the database included celebrities’ and politicians’ Twitter handles and emails — raising concerns about their security if combined with other information available on the web. Bloomberg was able to independently confirm the presence of some well-known names in the list of Twitter users posted on BreachForums. 

Separately, if email addresses are tied to prominent accounts that criticize repressive regimes, those dissidents or human-rights activists could be targeted in countries where criticism of the state is banned, experts have warned. 

How can I protect my account?

If you believe your account might have been compromised, or even if you just want to be extra secure, change your Twitter password while you are logged in, under the Account Settings tab. 

You can also change your email address using the same tab. See Twitter’s advice page for more information on how to do this. 

Always use a strong password and avoid repeating ones that you have used elsewhere, or might be easy to guess. Finally, sign up for two-factor authentication, which Twitter offers. This gives you a second login verification check which makes it much harder for bad actors to get into your account. 

For those operating a pseudonymous Twitter account, the company has recommended not adding a publicly known phone number or email address to your Twitter account, to keep your identity as veiled as possible.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.