Researchers say that after reports surfaced at the end of 2022 that hackers were peddling data stolen from 400 million Twitter users, a widely publicized collection of email addresses linked to about 200 million users is likely a refined version of the larger collection with duplicate entries removed.
Although Twitter is yet to respond to the extensive disclosure, the cache of information underlines the extent of the leak and who may be most at risk as a result of it
A weakness in a Twitter application programming interface, or API, existed from June 2021 to January 2022 and allowed attackers to send contact information, such as email addresses, and receive the corresponding Twitter account, if any, in response.
Attackers used the vulnerability to “scrape” data from the social network before it was fixed.
The issue exposed the connection between Twitter accounts, which are frequently pseudonymous, and the email addresses and phone numbers attached to them, potentially identifying users, even if it did not allow hackers to access passwords or other sensitive information like DMs.
The vulnerability appeared to have been used by numerous actors to create various data sets while it was active. The email addresses and phone numbers of roughly 5.4 million Twitter users were contained in one that has been going around in criminal forums since the summer.
The vast, recently discovered cache appears to simply include email addresses.
The chance that the data will be used to support phishing attacks, identity theft efforts, and other forms of personal targeting is nonetheless increased by its widespread distribution.
Twitter is by no means the first platform to make data available for mass scraping via an API fault, and in such cases, it is typical for there to be a misunderstanding regarding the number of distinct data troves that truly exist as a result of criminal exploitation.
However, these occurrences continue to be important because they strengthen the vast volume of user-related stolen data that already exists in the criminal ecosystem by providing more links and validation.
As a result of the API vulnerability, Twitter expressed concern in an email to users in August that their pseudonymous accounts might be connected to their real identities. The organization said in a statement, “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.
To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”
However, the advice is too late for those who weren’t already linking their Twitter accounts to burner email addresses at the time of the scraping. The social network announced in August that it was informing those who might be impacted about the problem. In light of the hundreds of millions of records that were exposed, the corporation has not indicated if it will send out more notifications.
The Data Protection Commission of Ireland announced last month that it is looking into the event that resulted in the collection of 5.4 million users’ email and phone numbers. The US Federal Trade Commission is also looking into whether Twitter broke the terms of a “consent decree” that required the firm to strengthen its user privacy and data protection policies.
I am a law graduate from NLU Lucknow. I have a flair for creative writing and hence in my free time work as a freelance content writer.