Cybercrime sleuth says Twitter hack exposed more than 200 million users’ email addresses

Some security commentators have said the Twitter breach could be used by nefarious actors. Photo / 123rf

Hackers have reportedly stolen the email addresses of more than 200 million Twitter users and posted them on an online hacking forum.

Cybercrime intelligence researcher Alon Gal said hackers would use the new leaked database to target crypto Twitter accounts and hack into high profile accounts and political accounts.

“It goes without saying that agencies around the world will use this database as well to further harm our privacy,” Gal said on LinkedIn yesterday.

The Washington Post said records of 235 million Twitter accounts and the email addresses used to register accounts were posted to an online hacking forum, “setting the stage for anonymous handles to be linked to real-world identities”.

The records were probably compiled in late 2021, using a flaw in Twitter’s system allowing outsiders who already had an email address or phone number to find any account that had shared that information with Twitter, the Post added.

“Those lookups could be automated to check an unlimited list of emails or phone numbers.”

Have I Been Pwned, a website allowing users to see if email addresses had already been in a data breach, said 98 per cent of the email addresses raided in the Twitter hack had already been in previous breaches.

Reuters said Twitter had not commented on the report, which Gal first posted about on social media on Christmas Eve, nor responded to inquiries about the breach since that date.

CNN said security experts believed the email addresses were currently circulating on underground hacker forums.

“The apparent data leak could expose the real-life identities of anonymous Twitter users and make it easier for criminals to hijack Twitter accounts, the experts warned, or even victims’ accounts on other websites,” CNN added.

But technologist Ron Scott-Adams said there was not much need for alarm.

“Given the only non-public data it contains is the email address, this won’t directly lead to anything: the hacker must still infiltrate the email address or the account itself,” Scott-Adams said in response to Gal’s post.

“It’s also worth noting this appears to be entirely [more than] two-year-old data. It’s a large leak, but not an extremely severe one.”