Look what was the warning of the European Union to Twitter 0:46
(CNN) --
Email addresses linked to more than 200 million Twitter profiles are currently circulating on underground hacker forums, security experts say.
The apparent data leak could expose the real identities of anonymous Twitter users and make it easier for criminals to hijack accounts, experts warned, or even victims' accounts on other websites.
The trove of leaked logs also includes Twitter user names, account names, number of followers and account creation dates, according to forum listings reviewed by security researchers and shared with CNN.
ANALYSIS |
With its advertising business in crisis, Twitter relaxes the ban on political advertising
Rafi Mendelsohn, a spokesman for Cyabra, a social media analytics company that focuses on identifying misinformation and inauthentic behavior on the Internet, says: "The bad actors hit the jackpot."
"Previously private data, such as email addresses, usernames, and date created, can be leveraged to build smarter and more sophisticated hacking, phishing, and disinformation campaigns."
Some reports suggested the data was collected in 2021 through a bug in Twitter's systems, a flaw the company fixed in 2022 after a separate incident in July involving 5.4 million Twitter accounts alerted Twitter. the company about the vulnerability.
Troy Hunt, a security researcher, said Thursday that his analysis of the data "found 211,524,284 unique email addresses" that had been leaked.
The Washington Post previously reported that a forum was promoting the data of 235 million accounts.
advertising
Hunt did not immediately respond to a CNN question about whether the records would be added to his website, haveibeenpwned.com, which allows users to search for hacked records to determine if they were affected.
CNN has not independently verified the authenticity of the records.
Twitter did not immediately respond to a request for comment.
His communications team, along with about half of Twitter's total staff, was laid off after billionaire Elon Musk completed his acquisition of the company in late October.
Major staff reductions could now add to concerns about the company's ability to respond to security threats.
The breadth of data leaked could allow malicious actors or repressive governments to connect anonymous Twitter accounts to the real names or email addresses of their owners, potentially exposing dissidents, journalists, activists or other users at risk across the globe. world, security researchers warn.
"For those people, this is a very important vulnerability," says John Scott-Railton, a security researcher at the Citizen Lab at the University of Toronto.
Account data could also be valuable to hackers, who could use it to try to reset passwords and hijack accounts.
According to the researchers, the risk is especially high for people who use the same account credentials on Twitter as on other digital services, such as banking or cloud storage, because hackers could use the information obtained from the leak to open Twitter accounts. user on other sites.
Verified Twitter users affected by the apparent leak, or users with particularly high follower counts, will be especially valuable targets as a result of the leak, security experts warned, as the holders of those accounts may be particularly influential celebrities. or susceptible to extortion.
Twitter re-launches option to pay for the blue check mark
To protect against phishing attempts, users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say.
They should also turn on multi-factor authentication for each of their accounts and be careful when opening unsolicited emails or links.
According to cybersecurity outlet BleepingComputer, which claimed to have analyzed the data, the recent leak appears similar to one announced on hacker forums in November, which contained 400 million records, though it has been scaled down to remove some duplicates.
Twitter has not commented on that leak.
Reports of the leak could add to Twitter's already significant legal and regulatory risk.
In December, the main European regulator for Twitter's privacy, the Irish Data Protection Commission, said it is investigating the July 2022 leak as a possible violation of Europe's most important privacy law, known as GDPR.
Last summer, the company's former head of security Peiter "Mudge" Zatko submitted a report to the US government exposing long-ignored security vulnerabilities in Twitter's operations.
Zatko claimed that Twitter's security deficiencies reflected a breach of the company's binding commitments to the Federal Trade Commission (FTC), which constituted a felony.
(Twitter widely and repeatedly rebutted Zatko's allegations.)
Twitter Vulnerable to Russian and Chinese Influence, Whistleblower Says
Successive incidents on Twitter have led the company to sign two consent orders with the FTC since 2011 to improve its cybersecurity posture.
Failure to comply with the FTC's orders can result in fines, business restrictions, and even penalties against individual executives.
In November, senior Twitter officials responsible for privacy and security resigned from the company, just days after Musk closed the acquisition of the platform and amid mass layoffs that in some cases impacted entire departments.
CybercrimeLeakTwitter
