Hackers release email addresses linked to 200 million Twitter accounts, security researchers say | CNN Business
0
0
CNN
—
Email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums, security experts say. The apparent data leak could expose the real identities of anonymous Twitter users and make it easier for criminals to hijack Twitter accounts, experts warned, or even victims’ accounts on other websites.
The pool of leaked logs also includes Twitter user names, account IDs, follower numbers and dates the accounts were created, according to forum lists reviewed by security researchers and shared with CNN.
“The bad actors have hit the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analytics company focused on identifying misinformation and inauthentic online behavior. “Previously private data, such as emails, IDs and creation date, can be leveraged to create smarter and more sophisticated hacking, phishing and disinformation campaigns.”
Some reports suggested that the data was collected in 2021 through an error in Twitter’s systems, a company flaw. set in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted the company to the vulnerability.
Troy Hunt, security researcher, said You said your analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post previously reported a list of forums promoting the data of 235 million accounts.
Hunt did not immediately respond to a question from CNN asking if the records would be added to his website, haveibeenpwned.com, which allows users to search hacked records to determine if they have been affected. CNN has not independently verified the authenticity of the records.
Twitter did not immediately respond to a request for comment. Its communications team, along with roughly half of Twitter’s global workforce, was gutted after billionaire Elon Musk completed his takeover of the company in late October. The significant staff cuts now could raise concerns about the company’s ability to respond to security threats.
The breadth of leaked data could allow malicious actors or repressive governments to connect anonymous Twitter IDs to their owners’ real names or email addresses, potentially unmasking dissidents, journalists, activists or other at-risk users across the globe. world, security researchers warn.
“For these people, this is a very consequential breach,” said John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab.
Account data can also be valuable to hackers who can use the information as part of password reset attempts and account takeovers. Researchers said the risk is particularly high for people who use the same account credentials on Twitter as for other digital services, such as banks or cloud storage, because hackers could take the information obtained from the leak to open user accounts elsewhere.
Verified Twitter users caught in the apparent leak, or users with particularly large followings, will be particularly valuable targets as a result of the leak, security experts warned, as such account holders may be particularly influential celebrities or susceptible to extortion.
To protect themselves from phishing attempts, Internet users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. They should also enable multi-factor authentication for each of their accounts and exercise caution when opening unsolicited emails or links.
According to cybersecurity news channel BleepingComputer, which claimed to have tested the data, the latest dump appears similar to a leaked data set announced on hacking forums in November containing an alleged 400 million records, but scaled down to remove some duplicate records. Twitter has not commented on this leak.
Reports of the leak could widen Twitter’s already significant legal and regulatory risk.
In December, Twitter’s top European privacy regulator, the Irish Data Protection Commission, said it was investigating the July 2022 leak as a possible violation of Europe’s signature privacy law, known as GDPR.
Last summer, the company’s former security chief, Peiter “Mudge” Zatko, filed a report with the US government alleging long-ignored security vulnerabilities in Twitter’s operations. Zatko claimed that Twitter’s security shortcomings reflected a breach of Twitter’s binding commitments to the Federal Trade Commission, a serious crime. (Twitter has widely and repeatedly rejected Zatko’s allegations.)
Successive incidents at Twitter have led the company to sign two consent orders with the FTC since 2011 to improve its cybersecurity posture. Violations of the FTC’s orders can result in fines, business restrictions, and even sanctions directed at individual executives.
In November, Twitter’s top executives responsible for privacy and security resigned from the company, just days after Musk closed his purchase of the platform and amid mass layoffs that in some cases cut entire departments.
.
