What Twitter’s 200 Million-User Email Leak Actually Means

Researchers say that a trove of email addresses linked to 200 million users is likely a refined version of the larger one that was stolen from 400 million users. The social network has not commented on the leak, but a cache of data shows who may be most at risk.

There was a bug in the application programming interface that allowed attackers to submit contact information like email addresses and get the associated account if they wanted. The flaw was exploited before it was fixed. The bug didn't allow for access to passwords or other sensitive information, but it did expose the connection between accounts, which are often pseudonymous, and the email addresses and phone numbers associated with them.

Multiple actors were able to exploit the vulnerability while it was live. The email addresses and phone numbers of more than five million users of the micro-messaging service were included in a document that was circulating in criminal forums. The email addresses seem to be the only ones contained in the trove. Widespread circulation of the data creates a risk that it will fuel attacks on individuals.

WIRED didn't get a reply to their requests. In an August disclosure, the company wrote that they fixed the vulnerability after learning of it. There was no evidence to suggest that someone had exploited the vulnerability. It was not possible to detect the malicious scraper.

It is common in such scenarios for there to be confusion about how many distinct troves of data actually exist as a result of malicious exploitation. There are more connections and validation to the massive body of stolen data that already exists about users in the criminal community.

There are many people who were aware of the vulnerability and many people who took advantage of it. Is it possible that different people have different jobs? There are a lot of troves. Troy Hunt is the founder of the website HaveIBeenPwned. Hunt took the data from HaveIBeenPwned and said that it contained information about more than 200 million accounts. Almost all of the email addresses had been exposed in previous breeches.

He is the first to send a seven-figure email. A quarter of my subscribers is significant. I don't think this incident will have a long tail in terms of impact because it's already been out there. It may make people feel less anonymous. I'm more worried about people who want to keep their private life out of the public eye.