An epic Twitter hack has seen more than 200 million user email addresses stolen and posted for sale on an online forum, according to a credible security researcher.
The forum post reportedly appeared on 24 December 2022, wherein a threat actor claimed to have collected the data of over 400 million unique Twitter users scraped via a vulnerability.
While the stolen data was initially intended for sale and kept private, later research by cyber security monitoring firm Hudson Rock suggested the database has since been leaked for free, revealing a smaller-yet-still-gigantic exposure of 235 million unique records from Twitter users.
"The database contains 235,000,000 unique records of Twitter users and their email addresses and will unfortunately lead to a lot of hacking, targeted phishing, and doxxing," said Hudson Rock Co-Founder Alon Gal.
"This is one of the most significant leaks I've seen," he added.
The allegedly stolen data is said to contain both public and private Twitter data, including users' email addresses, names, user names, creation date and phone numbers, and could potentially be used to link anonymous handles to real-world identities.
Gal further explained the database containing the leaked records is likely circulating online with "more than one threat actor" actively selling the data.
Twitter is yet to comment on these findings from 24 December, nor has the company responded to recent inquires regarding the breach.
A breach years in the making
While the forum post only just appeared over the holiday period, the leaked records are said to be traceable to a Twitter security incident which occurred way back in 2021.
In January 2022, Twitter was made aware through its bug bounty program of an outstanding Application Programming Interface (API) flaw which reportedly allowed attackers to check for Twitter IDs by feeding through email addresses or phone numbers acquired elsewhere.
While the company said it "immediately investigated and fixed" the bug after learning about it, security experts estimate todays' allegedly leaked records were compiled in late 2021 as a part of the same API flaw.
"In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources," explained Jamie Boote, Associate Principal Consultant at Synopsys Software Integrity Group.
"Several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date, and other information available on a Twitter profile."
API vulnerabilities have been a recurrent security issue in larger organisations – recently, Optus' landmark 2022 data breach was also said to stem from an API issue.
In the case of Twitter, the initial bug behind this incident resulted from an update to Twitter's code in June 2021.
"This is a common example of how an unsecured API that developers design to 'just work' can remain unsecured because when it comes to security, what is out-of-sight is often out-of-mind; humans are terrible at securing what they can't see," said Boote.
"To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams," he added.
Is the leaked data legitimate?
News agency Reuters, which recently reported on Gal's findings, said it could not independently verify whether the data on the forum was authentic and came from Twitter.
First-hand reports from researchers and cyber security experts, however, indicate the data is likely legitimate.
Some notable figures whose names reportedly appear in the leaked datasets, such as Kevin O'Leary and Piers Morgan, have correspondingly experienced recent hacks against their Twitter accounts.
While the reasoning behind the delayed onset of this data leak is yet confirmed, Boote suggests recent developments may be motivated by financial gain, and correlated to Elon Musk's recent acquisition of Twitter.
"Musk bought Twitter, and dumps of these started showing up for sale as hackers were looking to get paid for their efforts," he said.
"Most recently, it appears as though someone collected a bunch of these – plus combined with some new accounts – and tried to get Musk to pay up for them."
It is unclear what actions Twitter has taken to investigate or mitigate this unfolding issue.