“This database is going to be used by hackers, political hacktivists and of course governments to damage our privacy even more,” said Alon Gal, co-founder of Israeli security firm Hudson Rock, who saw the post on a popular underground marketplace.
The records were likely compiled in late 2021, using a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find an account that had shared that information with Twitter. These lookups can be automated to check an unlimited list of emails or phone numbers.
Twitter said in August that it had learned of the vulnerability in January 2022 through its bug report reward program, and that the vulnerability had been accidentally introduced in a code update seven months before that.
In July, hackers were discovered selling a set of 5.4 million Twitter account handles and associated emails and phone numbers, which Twitter said was the first it was aware of someone exploiting the flaw.
The much larger data dump was almost certainly compiled in the same way and has been offered for private sale and circulated for some time before its recent publication, Gal said.
Ireland’s Data Protection Commission said last month it was investigating the earlier breach and that Europe’s General Data Protection Regulation may have been breached. The new batch is likely to add intensity to that probe and an ongoing investigation by the US Federal Trade Commission into whether Twitter violated consent decrees in which it promised to better protect user data. The FTC declined to comment.
Three quarters of Twitter users live outside the US and Canada.
Twitter did not respond to an email seeking comment and asking if the company had any advice for users.
Those users with the least risk provided throwaway email addresses or those that were not associated with them elsewhere. But even they can fall victim to account takeover attempts, phishing or email threats.
In its previous statement, Twitter said it fixed the bug when it became aware of it, but did not say how long the process took. The January 2022 report came during a chaotic month when the company fired both of its top security officers.
One of them, Peiter Zatko, had argued internally that Twitter was grossly unprepared to fend off hacking attempts, and he later filed a formal whistleblower complaint with the Securities and Exchange Commission and testified about the deficiencies in Congress.
While the 235 million published records rank among the largest breaches anywhere, it’s just the latest in a series of Twitter security disasters dating back more than a decade. Frequent account takeovers led to a 2011 settlement with the FTC that Zatko said the company violated.
While Elon Musk previously used Zatko’s testimony about poor security practices in an unsuccessful attempt to get out of buying the company, he has since fired many of the security staff.