What Twitter’s 200 million email leak really means

Researchers say that a trove of email addresses linked to 200 million users is likely a refined version of the larger one that was stolen from 400 million users. The social network has not commented on the leak, but a cache of data shows who may be most at risk.

There was a bug in the application programming interface that allowed attackers to submit contact information like email addresses and get the associated account if they wanted. The flaw was exploited before it was fixed. The bug didn't allow for access to passwords or other sensitive information, but it did expose the connection between accounts, which are often pseudonymous, and the email addresses and phone numbers associated with them.

While it was live, the vulnerability was seemingly exploited by multiple actors to build different collections of data. One that has been circulating in criminal forums since the summer included the email addresses and phone numbers of about 5.4 million Twitter users. The massive, newly surfaced trove seems to only contain email addresses. However, widespread circulation of the data creates the risk that it will fuel phishing attacks, identity theft attempts, and other individual targeting.

WIRED didn't get a reply to their requests. In an August disclosure, the company wrote that they fixed the vulnerability after learning of it. There was no evidence to suggest that someone had exploited the vulnerability. It was not possible to detect the malicious scraper.

Advertisement

It is common in such scenarios for there to be confusion about how many distinct troves of data actually exist as a result of malicious exploitation. The incidents add more connections and validation to the massive body of stolen data that already exists in the criminal community.

There are many people who were aware of the vulnerability and many people who took advantage of it. Is it possible that different people have different jobs? There are a lot of troves. Troy Hunt is the founder of the website HaveIBeenPwned. Hunt took the data from HaveIBeenPwned and said that it contained information about more than 200 million accounts. Almost all of the email addresses had been exposed in previous breeches.

He is the first to send a seven-figure email. A quarter of my subscribers is significant. I don't think this incident will have a long tail in terms of impact because it's already been out there. It may make people feel less anonymous. I'm more worried about people who want to keep their private life out of the public eye.

The potential for users' pseudonymous accounts to be linked to their real identities as a result of the vulnerability was brought to the attention of the company.

The company wrote that it understands the risks of an incident like this happening if you operate a pseudonymous account. Adding a publicly known phone number or email address to your account is not a good idea.

The advice comes too late for users who already linked their accounts to email at the time of the scraper. Potentially impacted individuals were notified by the social network in August. The company doesn't know if it will do further notification in light of the exposed records.

Ireland's Data Protection Commission said last month that it is investigating the incident that produced the trove of millions of users' email addresses and phone numbers. The US Federal Trade Commission is investigating whether the company violated a consent decree that required it to improve its privacy and data protection measures.

The story was first published on wired.com.