Last updated on April 25th, 2023 at 05:43 pm
Private information from over 200 million Twitter users has been published on a popular hacking forum for anyone to download. The data includes users’ email addresses and public information, such as account names and handles.
The data was likely obtained in 2021 after bad actors exploited a vulnerability in Twitter’s software. The flaw meant they could essentially ask Twitter if a given email address corresponded to an existing account on the social media platform. If it did, Twitter gave them the account profile information.
New owner and self-proclaimed chief twit Elon Musk has not yet commented on the data leak. While the leak happened before he purchased the social media company, Musk’s continued silence on a significant security incident impacting over 200 million users is not a good look.
Below, I break down the effects this leak could have, how you can tell if your email was leaked, and what you can do to protect yourself.
What is the impact of this leak?
Users with anonymous Twitter accounts are most affected by this leak. That’s because the publication of the email address associated with an anonymous account’s handle could reveal the user’s identity. Depending on their circumstances, this could put them in real danger.
All affected users are also likely to receive more phishing and spam emails now their email addresses are widely available. Those with short handles or otherwise desirable Twitter accounts are particularly at risk, as cybercriminals may use phishing emails to obtain their passwords and take over and sell their accounts.
Affected users are also now at risk of receiving threatening or harassing emails from strangers who object to something they’ve tweeted. Lovely!
How do I know if my data was affected? And what can I do if it was?
Security researcher Troy Hunt has added the leaked email addresses to Have I Been Pwned?, a site that allows users to check whether their emails and phone numbers have been compromised in a data breach. You can enter your email to see if it has been leaked in this incident, as well as other breaches, at haveibeenpwned.com.
If your email address was leaked, it’s worth being extra cautious when handling your inbox, as you’ll likely receive phishing emails.
Phishing emails ask you to take action, such as clicking a link, to trick you into revealing sensitive information like your password. They also often create a false sense of urgency, such as claiming your account will be suspended if you don’t do as they ask within a given time period.
If you’re not sure if an email you’ve received is a phishing attempt, reach out to the company who supposedly sent it and ask them directly. Make sure you use the contact information found on their legitimate website, however, and not in the suspicious email.
You might also want to rethink whether you’re comfortable giving out your real email address to all companies that ask for it in the future. While it might not seem like there is an alternative, you could use an email masking service, like Firefox Relay, AnonAddy or SimpleLogin, instead.
These services allow you to create email aliases, i.e. alternative email addresses, which you give out instead of your real one. When an email is sent to an alias, it is automatically forwarded to your real address. If an alias is leaked, however, you can easily deactivate it, meaning any spam, phishing or other unwanted emails sent to it won’t make it to your real inbox.
Update: On January 11th 2023, Twitter released a statement denying that the leaked data came from a vulnerability in their systems. They instead claim “The data is likely a collection of data already publicly available online through different sources”.