Hacker distributes file containing email addresses of 200 million Twitter accounts
A hacker sells the email addresses of 200 million scraped Twitter accounts for the equivalent of two euros. The leak appears to be a duplicated version of the 400 million Twitter account details that were put up for sale around Christmas and for which more was asked for.
Nowadays, among other things, Have I Been Pwned, BleepingComputer and security company Hudson Rock confirms the validity of the file. According to Have I Been Pwned, there are 211,524,284 unique email addresses in the file. The new file would contain the same data as the previous database of 400 million Twitter users, but without duplicates. At that time the hacker also wanted at least sixty thousand dollars for the file, now they are asking for about two dollars.
The file contains the email addresses and Twitter usernames of more than 200 million Twitter accounts, which were scraped with vulnerabilities in Twitter’s API in 2021. That vulnerability allowed users to enter email addresses and phone numbers to confirm whether they were linked to a Twitter account. With another API, hackers were able to scrape all public data from this Twitter account. Twitter closed these vulnerabilities in January last year.
Have I Been Pwned indicates that 98 percent of the leaked email addresses were previously known. The danger of the leak is therefore not in the leaking of email addresses, but in the fact that they are linked to Twitter accounts. For example, anonymous Twitter accounts can be doxed, says Hudson Rock, and accounts can be hacked more easily. In addition to the username and email address, the file contains names, number of followers and when an account was created. Users can see if their email address can be linked to their Twitter username on Have I Been Pwned.
Secondly, this sets a new record: there are 1,063,803 @haveibeenpwned subscribers in this breach (I have 4.4M subscribers at present) so yeah, I have some emails to send! Then there’s another 60,851 people monitoring domains so they’ll get an email too.
— Troy Hunt (@troyhunt) January 5, 2023