Hacker distributes file with email addresses of 200 million Twitter accounts

Spread the love

A hacker sells the email addresses of 200 million scraped Twitter accounts for the equivalent of two euros. The leak appears to be a duplicated version of the 400 million Twitter account details that were put up for sale around Christmas and demanded more.

In the meantime, among other things Have I Been Pwned, Bleeping Computer and security company Hudson Rock confirms the validity of the file. According to Have I Been Pwned, there are 211,524,284 unique email addresses in the file. The new file would contain the same data as the earlier database of 400 million Twitter users, but with no duplicates. At the time, the hacker also wanted a minimum of sixty thousand dollars for the file, now about two dollars is requested.

The file contains the email addresses and Twitter usernames of more than 200 million Twitter accounts, which were scraped in 2021 with vulnerabilities in Twitter’s API. With that vulnerability, users could enter email addresses and phone numbers to confirm whether they are linked to a Twitter account. With another API, hackers were able to scrape all public data from this Twitter account again. Twitter closed these vulnerabilities in January last year.

Have I Been Pwned indicates that 98 percent of leaked email addresses were previously known. The danger of the leak is therefore not in the leaking of the e-mail addresses, but that they are linked to Twitter accounts. For example, anonymous Twitter accounts can be doxed, says Hudson Rock, and accounts can be hacked more easily. In addition to the username and email address, the file contains names, number of followers and when an account was created. Users can see on Have I Been Pwned whether their email address can be linked to their Twitter username.

Secondly, this sets a new record: there are 1,063,803 @haveibeenpwned subscribers in this breach (I have 4.4M subscribers at present) so yeah, I have some emails to send! Then there’s another 60,851 people monitoring domains so they’ll get an email too.

— Troy Hunt (@troyhunt) January 5, 2023

You might also like