Email addresses of 200 million users on Twitter allegedly leaked online

Image: AI created at Dall E

For $2, a data breach that contained email addresses of 200 million Twitter users was published by a hacker community. BleepingComputer confirmed many of the emails in the leak as valid.

Threat actors and data collectors have been selling large data sets of stolen Twitter profiles, which contain both private and confidential (phone numbers, email addresses, and public information on many online hacker forums, and cybercrime marketplaces, since July 22, 2022.

This data set was created by exploiting the . It allowed users to enter email addresses and telephone numbers in order to verify that they are associated with a Twitter account.

Threat actors used another API for scraping public Twitter data to identify the ID. They combined the public data with private phone numbers and email addresses to make profiles of Twitter users.

Although Twitter has since fixed the flaw multiple threats actors are now leaking data sets that they have gathered over a year ago.

In July, the went on sale for $30,000; in November 2022. In November, another data set was circulating that allegedly contained data for 17,000,000 users.

A threat actor sold a data set that they claim .

Free 200 Million Lines of Twitter Profiles

A threat actor has released today a data set containing 200 million Twitter accounts on the Breached hacking forums for 8 credits of forum currency. It is approximately $2.

The data set is identical to the November 400 million set, but it has been cleaned up so that there are no duplicates. BleepingComputer tests however have confirmed that this data set contains duplicates.

The initial sale of Facebook data in June 2020

Source: BleepingComputer

Data was made available as an RAR archive, which consisted of six text files with a total size of 59GB.

RAR archive containing leaked Twitter data

Source: BleepingComputer

The files contain information about each Twitter user, including their email address, name, screen names and follow count.

Sample of leaked Twitter data

Source: BleepingComputer

BleepingComputer was able to verify that many Twitter accounts listed have correct email addresses, but the complete data has not been verified.

The data is not complete and there are many users that were not included in the leak.

Your email address has to have been exposed during previous data breaches before it will determine whether or not you are included in the data set.

The threat actors made massive email lists and telephone numbers in 2021 that they used to send out emails. These were also exposed during previous data breaches.

These lists were then passed to the API bug by the scrapers, which checked if the number or email address had been associated with a Twitter ID that corresponded with either the phone or email number.

Your email address would not be added to the API bug if it was only used for Twitter.

BleepingComputer reached out to Twitter about the leaked data, but did not receive a reply.

How can you help?

Although this data leaked only includes email addresses, threat actors could use it to launch phishing attacks on accounts, particularly verified accounts.

Large followers and verified accounts are extremely valuable as these are used often to steal cryptocurrency via online scams.

The leak also poses a privacy risk, particularly for anonymous Twitter users. This leak may allow for the identification of anonymous Twitter users to reveal their true identities.

Targeted phishing scams to get your passwords and other sensitive information should alert all Twitter users.

There is nothing you can do if your email address has been leaked.