Criminal Hackers Leak Email Addresses of 220 Million Twitter Users

Twitter is in the middle of yet another PR disaster after a criminal hacker leaked more than 220 million users’ email addresses.

The fraudster, who goes by the name ‘Ryushi’, initially demanded $200,000 (about £166,000) to hand over or delete the stolen information. A week later – after presumably being rebuffed by Twitter – the hacker put the data up for sale on the hacking forum Breached.

Although it appears that no personal information beyond email addresses was compromised, the incident poses significant privacy risks.

For instance, many people can be easily identified by their email address – particularly if they use their name or the name of their business. This could be particularly troublesome for celebrities and other high-profile figures.

The cyber crime intelligence firm Hudson Rock says it was the first to raise the alarm about the sale of the data. Alon Gal, the organisation’s co-founder, believes that the damage could extend beyond simple cyber crime.

“This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further,” he said.

Where did the data come from?

The stolen information dates to 2021, when cyber criminals discovered a flaw in Twitter’s systems. The API vulnerability enabled them to input email addresses or phone numbers to confirm whether they were associated with a Twitter ID.

The fraudsters combined this with web scraping software to search the Internet for publicly available email addresses tied to Twitter accounts. The criminal hackers were therefore able to correlate the email addresses and IDs of hundreds of millions of Twitter users.

Twitter fixed the flaw that made this possible in January last year, but it had no way of knowing how much data had been leaked and no way to recover the stolen information.

The first glimpse we had at the damage came in July 2022, when threat actors put 5.4 million users’ data up for sale. They initially asked for $30,000 (£25,000) but ultimately released it for free on 27 November.

Another dataset allegedly containing 17 million users’ data was also circulating privately in November, followed by the latest, and biggest, collection that was posted online this week.

The cache reportedly contains the same information that was previously leaked, but has been cleaned up to reduce the number of duplicate records. In total, there are 221,608,279 lines of data – all of which is for sale on the Breached hacking forum for just $2.

How worried should you be?

This data breach is a major problem for Twitter and its users, who have faced one headache after another in recent months. The scale of the incident means that about half of all Twitter users will be affected, and the unlucky ones could soon face a barrage of fraudulent activity.

Verified accounts with large followers are most susceptible to scams, as criminal hackers like to use established platforms to launch secondary attacks. This often comes in the form of posts that promote bogus cryptocurrency schemes.

Users assume that the promotion is genuine, because it is being advertised by someone they trust, and they plough money into the scheme. By the time the genuine account holder regains access, it’s too late; the crypto wallet has been drained and closed.

The good news is that the criminal hackers only have access to email addresses, which limits the activities they can carry out. However, even with this information alone, they could launch phishing campaigns designed to infect users’ devices with malware or to capture their login credentials.

Individuals should be particularly concerned about emails that appear to come from Twitter itself. Criminal hackers will be keen to cash in on the tumult surrounding the social media giant, plus they know for certain that the email addresses they contact are linked to Twitter accounts.

It’s common for cyber criminals to double down on a data breach by sending bogus emails that seemingly address security concerns related to that incident. Users should be especially vigilant if they receive an email from Twitter advising them to change their password in light of this incident.

The nature of the breach means there’s no existing risk to people’s passwords; this information wasn’t compromised. An email that suggests otherwise is almost certainly a scam.

You can find more tips on how to spot online fraud with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like this incident to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

The course is updated quarterly to ensure that you receive the latest guidance and stay up to date with the latest industry trends.