Records of 235 million Twitter accounts have been posted to an online hacking forum, exposing identities by enabling anonymous handles to be linked to email addresses and related real-world names.
According to security expert and Hudson Rock CTO Alon Gal, who had verified the data, the database was circulating heavily earlier in the week and has now been leaked.
"The database contains 235,000,000 unique records of Twitter users and their email addresses and will, unfortunately, lead to a lot of hacking, targeted phishing, and doxxing," the cybersecurity expert wrote on LinkedIn. "This is one of the most significant leaks I've seen."
The leaked data also reportedly included names, usernames, email addresses, follower counts and creation dates.
According to VMware's product line marketing manager Ron Scott-Adams, however, the data is at least two years old and consists mainly of publicly available information (excluding email addresses).
Jamie Boote, associate principal consultant at Synopsys, told Infosecurity the data could have resulted from a web scraping job leveraging an old (and now fixed) Twitter bug.
"In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address," said Boote.
"Several groups then used leaked email dumps as seed material to start farming for handles that they could then [use to] gather other information such as follower counts, profile creation date, and other information available on a Twitter profile."
The executive added that the issue was fixed last year, so the leak looks like someone "collected a bunch of these—plus combined with some new accounts—and tried to get [Elon] Musk to pay up for them."
Boote said this is a typical example of how an unsecured API that developers design to "just work" can remain unsecured because when it comes to security, what is out of sight is often out of mind.
"Humans are terrible at securing what they can't see. As always, malicious actors have your email address," Boote added.
"To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams."
The leak comes weeks after a separate breach affected over five million Twitter users in November 2022.