235 million Twitter accounts and email addresses have been posted to an online hacking forum.
Yikes.
The Washington Post reports that this breach sets the stage for anonymous handles to be linked to real-world identities.
That poses threats of exposure, arrest or violence against people who used Twitter to criticize governments or powerful individuals, and it could open up others to extortion, security experts said. Hackers could also use the email addresses to attempt to reset passwords and take control of accounts, especially those not protected by two-factor authentication.
BIG yikes.
Alon Gal, co-founder of Israeli cybersecurity-monitoring firm Hudson Rock, first posted about this hack on social media on December 24, called it "one of the most significant leaks I've seen," and said it will "unfortunately lead to a lot of [further] hacking, targeted phishing, and doxxing."
Phishing: a tactic used by cybercriminals who send emails or text messages claiming to be from reputable companies. These messages ask their targets to send them personal information, including credit card numbers, passwords, and other sensitive data.
Doxxing: the practice whereby internet users maliciously post an individual's address or other sensitive information online without their consent.
This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further.
Twitter has been very quiet. They have not yet commented on the report, and it isn't clear if Twitter has taken any action to investigate or help their users.
From The Washington Post:
The records were probably compiled in late 2021, using a flaw in Twitter's system that allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter. Those lookups could be automated to check an unlimited list of emails or phone numbers.
Twitter said in August that it had learned of the vulnerability in January 2022 through its reward program for bug reports and that the vulnerability had been accidentally introduced in a code update seven months before that.
In July, hackers were spotted selling a set of 5.4 million Twitter account handles and associated emails and phone numbers, which Twitter said was the first it learned that someone had taken advantage of the flaw.
Based on screenshots circulating online, there were no clues to the identity of the hacker (or hackers), but it may have taken place in early 2021 before Elon Musk took over.
Last month, Ireland's Data Protection Commission was investigating the earlier breach and that Europe's General Data Protection Regulation might have been violated.
From The Washington Post:
The new batch is likely to add to the intensity of that probe and an ongoing inquiry by the U.S. Federal Trade Commission into whether Twitter has been violating consent decrees in which it promised to better protect user data. The FTC declined to comment.
Three-quarters of Twitter users live outside the United States and Canada.
Troy Hunt, creator of breach-notification site Have I Been Pwned, reviewed the leaked data and said on Twitter that it seemed "pretty much what it's" been described as."
A significant breach at Twitter should interest regulators on both sides of the Atlantic.
