“This database will be used by hackers, political hackers and of course governments to further damage our privacy,” said Alon Gal, co-founder of Israeli security firm Hudson Rock, noticing the post on a popular underground market.
The records were probably compiled in late 2021 using a flaw in the Twitter system that allowed strangers who already had an email address or phone number to find any account that shared that information with Twitter. These searches can be automated to check unlimited lists of email or phone numbers.
twitter said August He said he learned of the vulnerability in January 2022 through the bounty program for bug reports, and that the vulnerability was accidentally introduced in a code update seven months ago.
In July, hackers were found to have sold 5.4 million Twitter account handles and associated email and phone numbers, and Twitter said it was the first it learned that someone had exploited the flaw.
The much larger data dump was compiled almost exactly the same way and is available for private sale and circulated some time before the final release, Gal said.
Ireland’s Data Protection Commission said last month to research previous violation and violation of Europe’s General Data Protection Regulation. The new party will likely increase the intensity of this investigation and contribute to the ongoing investigation by the U.S. Federal Trade Commission into whether Twitter violates permission orders that it promises to better protect user data. The FTC declined to comment.
Three-quarters of Twitter users live outside the US and Canada.
Twitter did not respond to an email asking for comment and asking if the company has any recommendations for users.
The least at-risk users provided disposable email addresses or those that were not linked elsewhere. But even they can be subject to account hijacking attempts, phishing, or emailed threats.
Twitter said in its previous statement that it fixed the vulnerability when it learned, but did not say how long the process took. The January 2022 report came in a chaotic month when the company fired both top security guards.
One of them, Peiter Zatko, argued within himself that Twitter was largely unprepared to fend off hacking attempts, and later filed a formal whistleblower complaint with the Securities and Exchange Commission and testified in Congress about the shortcomings.
While the 235 million posted records are among the largest breaches anywhere, this is only the latest in security disasters that have been on Twitter in more than a decade. Frequent account takeovers led to a 2011 settlement with the FTC, which Zatko said the company had violated.
While Elon Musk had previously used Zatko’s statement about poor security practices in an unsuccessful attempt to discourage buying the company, he has since laid off most of his security staff.