The Washington PostDemocracy Dies in Darkness

Hackers leak email addresses tied to 235 million Twitter accounts

The records, probably compiled in late 2021, were published on a popular underground marketplace, researchers said

The Twitter logo is displayed on an Apple laptop computer. (Gabby Jones/Bloomberg News)
3 min

Records of 235 million Twitter accounts and the email addresses used to register them have been posted to an online hacking forum, setting the stage for anonymous handles to be linked to real-world identities.

That poses threats of exposure, arrest or violence against people who used Twitter to criticize governments or powerful individuals, and it could open up others to extortion, security experts said. Hackers could also use the email addresses to attempt to reset passwords and take control of accounts, especially those not protected by two-factor authentication.

“This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further,” said Alon Gal, co-founder of the Israeli security company Hudson Rock, who spotted the posting on a popular underground marketplace.

The records were probably compiled in late 2021, using a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter. Those lookups could be automated to check an unlimited list of emails or phone numbers.

Twitter said in August that it had learned of the vulnerability in January 2022 through its reward program for bug reports and that the vulnerability had been accidentally introduced in a code update seven months before that.

In July, hackers were spotted selling a set of 5.4 million Twitter account handles and associated emails and phone numbers, which Twitter said was the first it learned that someone had taken advantage of the flaw.

The much larger data dump was almost certainly compiled in the same way and has been offered for private sale and circulated for a while before the recent publication, Gal said.

Ireland’s Data Protection Commission said last month that it was investigating the earlier breach and that Europe’s General Data Protection Regulation might have been violated. The new batch is likely to add to the intensity of that probe and an ongoing inquiry by the U.S. Federal Trade Commission into whether Twitter has been violating consent decrees in which it promised to better protect user data. The FTC declined to comment.

Three-quarters of Twitter users live outside the United States and Canada.

Twitter did not respond to an email seeking comment and asking if the company had any advice for users.

Those users at the least risk provided throwaway email addresses or ones not tied to them elsewhere. But even they could be subject to account takeover attempts, phishing or emailed threats.

In its previous statement, Twitter said it fixed the flaw when it learned of it but did not say how long the process took. The report from January 2022 came during a chaotic month when the company fired both of its top security officers.

One of them, Peiter Zatko, had been arguing internally that Twitter was grossly unprepared to fend off hacking attempts, and he later filed a formal whistleblower complaint with the Securities and Exchange Commission and testified about the deficiencies in Congress.

While 235 million published records ranks among the largest breaches anywhere, it is only the latest in a stretch of security disasters at Twitter dating back more than a decade. Frequent account takeovers led to a 2011 settlement with the FTC that Zatko said the company has been violating.

While Elon Musk previously used Zatko’s testimony about poor security practices in a failed attempt to get out of buying the company, he has since laid off many of its security staffers.