What Twitter’s 200 million email leak really means

After stories on the finish of 2022 that hackers have been promoting information stolen from 400 million Twitter customers, researchers now say {that a} extensively circulated trove of email addresses linked to about 200 million customers is probably going a refined model of the bigger trove with duplicate entries eliminated. The social community has not but commented on the huge publicity, however the cache of information clarifies the severity of the leak and who could also be most in danger on account of it.

From June 2021 till January 2022, there was a bug in a Twitter utility programming interface, or API, that allowed attackers to submit contact info like email addresses and obtain the related Twitter account, if any, in return. Before it was patched, attackers exploited the flaw to “scrape” information from the social community. And whereas the bug did not permit hackers to entry passwords or different delicate info like DMs, it did expose the connection between Twitter accounts, which are sometimes pseudonymous, and the email addresses and telephone numbers linked to them, doubtlessly figuring out customers.

While it was stay, the vulnerability was seemingly exploited by a number of actors to construct completely different collections of information. One that has been circulating in legal boards for the reason that summer time included the email addresses and telephone numbers of about 5.4 million Twitter customers. The huge, newly surfaced trove appears to solely include email addresses. However, widespread circulation of the info creates the danger that it’ll gas phishing assaults, identification theft makes an attempt, and different particular person concentrating on.

Twitter didn’t reply to WIRED’s requests for remark. The firm wrote in regards to the API vulnerability in an August disclosure: “When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Seemingly, Twitter’s telemetry was inadequate to detect the malicious scraping.

Twitter is much from the primary platform to reveal information to mass scraping by an API flaw, and it’s common in such eventualities for there to be confusion about what number of distinct troves of information truly exist on account of malicious exploitation. These incidents are nonetheless important, although, as a result of they add extra connections and validation to the huge physique of stolen information that already exists within the legal ecosystem about customers.

“Obviously, there are multiple people who were aware of this API vulnerability and multiple people who scraped it. Did different people scrape different things? How many troves are there? It kind of doesn’t matter,” says Troy Hunt, founding father of the breach-tracking website HaveIBeenPwned. Hunt ingested the Twitter information set into HaveIBeenPwned and says that it represented details about greater than 200 million accounts. Ninety-eight p.c of the email addresses had already been uncovered in previous breaches recorded by HaveIBeenPwned. And Hunt says he despatched notification emails to just about 1,064,000 of his service’s 4,400,000 million email subscribers.

“It’s the first time I’ve sent a seven-figure email,” he says. “Almost a quarter of my entire corpus of subscribers is really significant. But because so much of this was already out there, I don’t think this is going to be an incident that has a long tail in terms of impact. But it may de-anonymize people. The thing I’m more worried about is those individuals who wanted to maintain their privacy.”

Twitter wrote in August that it shared this concern in regards to the potential for customers’ pseudonymous accounts to be linked to their actual identities on account of the API vulnerability.

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” the corporate wrote. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”

For customers who hadn’t already linked their Twitter handles to burner email accounts on the time of the scraping, although, the recommendation comes too late. In August, the social community stated it was notifying doubtlessly impacted people in regards to the scenario. The firm has not stated whether or not it would do additional notification in gentle of the tons of of hundreds of thousands of uncovered information.

Ireland’s Data Protection Commission stated final month that it’s investigating the incident that produced the trove of 5.4 million customers’ email addresses and telephone numbers. Twitter can be at the moment beneath investigation by the US Federal Trade Commission over whether or not the corporate violated a “consent decree” that obligated Twitter to enhance its person privateness and information safety measures.

This story initially appeared on wired.com.