(CNN) — Security experts say email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums.
Experts have warned that the apparent data leak could expose the true identities of anonymous Twitter users and make it easier for criminals to hijack accounts, or even victims’ accounts on other websites.
The trove of leaked logs also includes Twitter usernames, account names, number of followers and account creation dates, according to forum listings reviewed by security researchers and shared with CNN.
Rafi Mendelsohn, a spokesman for Cybra, a social media analytics company that focuses on identifying misinformation and unauthentic behavior on the Internet, says: “Bad actors hit the jackpot.” “Previously private data, such as email addresses, usernames and creation dates, can be leveraged to create smarter and more sophisticated hacking, phishing and misinformation campaigns.”
Some reports suggested that the data was collected in 2021 through a bug in Twitter’s systems, a flaw that the company corrected in 2022 5.4 million Twitter accounts alerted the company to the vulnerability after a separate incident in July.
Troy Hunt, a security researcher, Told An analysis of the data this Thursday “found 211,524,284 unique email addresses” that were leaked. The Washington Post previously reported that one forum was publicizing data from 235 million accounts.
Hunt did not immediately respond to a question from CNN about whether the records would be added to his website, haveibeenpwned.com, which allows users to search for hacked records to determine whether they were affected. . CNN has not independently verified the authenticity of the records.
Twitter did not immediately respond to a request for comment. His communications team, along with nearly half of Twitter’s total employees, was laid off after billionaire Elon Musk completed his acquisition of the company in late October. Key staff cuts now could raise concerns about the company’s ability to respond to security threats.
The breadth of the leaked data could allow malicious actors or repressive governments to link anonymous Twitter accounts to their owners’ real names or email addresses, potentially putting dissidents, journalists, activists or other users at risk around the world , security researchers have warned.
“For those people, this is a very important vulnerability,” says John Scott-Railton, a security researcher at the Citizen Lab at the University of Toronto.
Account data can also be valuable to hackers, who can use it to reset passwords and hijack accounts. According to the researchers, the risk is especially high for people who use the same account credentials on Twitter as on other digital services, such as banks or cloud storage, as hackers can use the information obtained from the leak to open Twitter accounts. can do. other sites.
Verified Twitter users affected by the apparent leak, or users with particularly high follower counts, would be particularly valuable targets as a result of the leak, security experts warned, as the holders of those accounts could be particularly influential celebrities, or forcibly May be susceptible to recoveries.
Security researchers say that to protect against phishing attempts, users should use unique passwords for each online service and keep track of them using a digital password manager. They should also turn on multi-factor authentication for each of their accounts and be careful when opening unsolicited emails or links.
According to cybersecurity outlet BleepingComputer, which claimed to have analyzed the data, the recent leak appears to be similar to one announced on hacker forums in November, which included 400 million records, though it has been scaled down to remove some duplicates. . Twitter has not commented on that leak.
Reports of the leak could exacerbate Twitter’s already significant legal and regulatory exposure.
In December, the Irish Data Protection Commission, the main European regulator for Twitter’s privacy, said it was investigating the July 2022 leak as a possible breach of Europe’s most important privacy law, known as the GDPR. Is.
Last summer, the company’s former security chief Peter “Madge” Zatko submitted a report to the US government that exposed long-neglected security vulnerabilities in Twitter’s operations. Zatko claimed that Twitter’s security deficiencies reflected a violation of the company’s binding commitments to the Federal Trade Commission (FTC), which constitute a felony. (Twitter widely and repeatedly denied Jatko’s allegations.)
Frequent incidents at Twitter have prompted the company to sign two consent orders with the FTC since 2011 to improve its cyber security posture. Failure to comply with FTC orders can result in fines, business bans, and even penalties against individual executives.
In November, senior Twitter executives responsible for privacy and security resigned from the company, just days after Musk closed the acquisition of the platform and amid mass layoffs that in some cases affected entire departments. .