200 million hacked Twitter accounts data published for free
Data dump includes details of celebrities' accounts and could be used for extortion, phishing and scamming
Researchers say details of more than 200 million Twitter accounts have been published on an online hacker forum, where they can be downloaded for free.
This is the latest sorry twist in a tale that began in 2021 last year with reports that a zero-day vulnerability in Twitter's API had been used to steal the data of 5.4 million accounts, including phone numbers and email addresses, with the hacker offering them for sale for $30,000 on dark web site Breached Forums.
The vulnerability allowed any party without any authentication to obtain a Twitter ID of any user by submitting a phone number or email. It was identified in June 2021 and fixed, but apparently not before it had been exploited to hack users' accounts.
In November last year, security expert Chad Loder claimed on Twitter that the vulnerability had been used to create a much larger data dump, containing tens of millions of records and including verified status, account names, Twitter IDs, bios and screen names, as well as personal phone numbers gathered using the same API bug. Loder was promptly suspended from Twitter on the direct order of Elon Musk, according to a former employee.
At the end of last year it was reported that 400 million Twitter records were now up for sale, with a hacker called "Ryushi" demanding $200,000 to hand over the data - which was reported to include details of accounts of US politician Alexandria Ocasio-Cortez, presenter Piers Morgan and other well known people, and deleting it.
Now it appears the hacker has given up on trying to make money from the breach and has made the stolen data available for free.
"This new leak appears to be the same as the one reported in December 2022 that affected over 400 million accounts," said Privacy Affairs, the organisation that revealed the leak, on a blog post. "The 200 million number, in this case, resulted from the removal of duplicates."
The leaked data includes account name, handle, creation date, follower count and email address, according to the organisation, which publishes security information and advice.
It could be used to hack Twitter users' accounts as well as for phishing, fraud, doxxing, scams extortion and other offences. Users are advised to be alert to the signs of any such attempts.
Twitter's European headquarters are in Ireland and the country's Data Protection Commission is investigating the breach to see if Twitter complied with its obligations with respect to the processing of personal data and the GDPR.
Twitter has not commented on the breach.