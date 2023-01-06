Several bits of information linked to over 200 million Twitter accounts have been leaked on underground hacker forums. The information includes email address, name, username, account creation date, and follower count.

The data could be used to orchestrate phishing attempts for account takeover and expose the real-life identities of the concerned users, according to cyber intelligence company CloudSEK. Bad actors gained access through a vulnerability in Twitter’s login API, allowing them to input phone numbers/email addresses to retrieve the Twitter user ID.

The leaked database was initially advertised for USD 200,000 on December 23 last year by a threat actor with the username Ryushi at English-speaking cybercrime forum Breached Forums. The same post also instructed potential buyers of the data on what malicious intents the leaked data could be used to achieve. The intents included SIM swapping, crypto scams, BEC scams, phishing campaigns, selling verified usernames, and peddling crypto scams using hacked verified accounts.

Not long after on January 1, a new user on the forum with the username Hoolig0n announced the sale of the same database, with some updated information. According to them, the data was scraped over a period lasting from September 2021 through January 2022. While the original post claimed that 400 million records were gathered, the newer post refuted those claims saying that over 190 million of those were duplicates.

The original advertisement put up for the sale of the database (Image: CloudSEK) The original advertisement put up for the sale of the database (Image: CloudSEK)

The second advertisement put up for the sale of the database (Image: CloudSEK)

Both forum posts have since been deleted, strongly suggesting that at least one of them had already found a buyer.

Thankfully, the vulnerability that allowed the leak was reportedly patched in early 2022. One interesting bit about it is that it also exposed the details of suspended accounts, putting the privacy of blacklisted people as well.

This isn’t the first time such data was stolen and put up for sale from Twitter. The second half of 2022 saw another threat actor exploit a similar vulnerability to steal the account details of 5.4 million users. It’s possible that the larger database from the current leak overlaps in part with the database comprised of 5.4 million users.

What to do

Unfortunately, there’s little that can be done about the data now that it’s already out in the open. What you can do is be wary of phishing campaigns from entities trying to impersonate Twitter. As already mentioned above, the leaked data can be used to launch phishing campaigns, so be mindful of those. CloudSEK also advises users to reveal minimal information while creating online accounts, so when breaches like these do happen, bad actors get away with as little information on you as possible.