A dataset purportedly comprising the email addresses and phone numbers of over 400 million Twitter users just a few weeks ago was listed for sale on the hacker forum Breached Forums. The information was initially released on December 23, 2022, by a hacker going by the handle "Ryushi." The attacker demanded $200,000 for an "exclusive" sale of the information. The attacker also warned that the social media platform might face a hefty GDPR charge for failing to secure user data since a fine would be imposed.
Now, the information for 235 million Twitter accounts, including the email addresses used to sign up for them, has been released on an online hacker forum, opening the door for linking anonymous handles to real-world identities.
Security experts warned that individuals who use the social network platform to criticize governments or influential people may be in danger of violence, exposure, arrest, and possibly extortion.
Furthermore, hackers can utilize email addresses to access accounts and reset passwords, particularly those that do not employ two-factor authentication. In addition, hackers can use email addresses to target individuals in phishing attacks.
Alon Gal, co-founder of the security firm Hudson Rock, saw the advertisement on a popular underground marketplace. Gal immediately commented, stating that hackers, political activists, and governments can use the database to undermine privacy.
The data was most likely compiled sometime in the latter half of 2021 by taking advantage of a weakness in Twitter's system. The vulnerability the attackers exploited made it possible for third parties to find Twitter account information with a phone number or email address.
Twitter stated in August that the flaw was unintentionally introduced during a software upgrade seven months earlier and was discovered in January 2022 through Twitter's incentive program for reporting bugs.