Files containing 200 million email addresses belonging to users of the social media site Twitter have been leaked online. They were available for around $2 of digital currency.
The information is thought to have been extracted via a vulnerability in Twitter’s API that was first exploited to 2021.
There’s little you can do when your email address is circulated like this, aside from keeping your eyes peeled for suspicious correspondence when going through your emails and using strong, unique passwords.
Twitter Email Addresses Being Sold
The 200 million email addresses are up for sale on Breached, a popular hacking forum. the files can be bought for 8 credits of Breached’s own digital currency, the equivalent of around $2.
The poster claims the files include the same data as the bank of 400 million email addresses that appeared online in November 2022, but with duplicates removed – although those with access to the data say they’ve found duplicates.
Along with email addresses, the files include names, screen names follow counts, and account creation dates (much of which is, of course, public information – just not connected to the email addresses).
Twitter Records Appear Once More
Files full of email addresses belonging to Twitter users have cropped up a number of times on the internet over the past six months or so.
All the data can be traced back to the same vulnerability that was present in Twitter’s API back in 2021, which would effectively allow someone to input email addresses and phone numbers to the site and see if they were associated with a Twitter ID.
The exploit was patched in January 2022, while the news the 5.4 million Twitter users' emails had been leaked and were up for sale hit the headlines in July.
According to Bleeping Computer, who have confirmed that many of the email addresses listed in the leak are valid, the attackers “used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users”.
There are some differences in the data this time round, however, including the fact that the current data did not show whether a user was verified.
What Do I Do if My Email Was Included?
There’s not much you can do about your email being out there. Besides, the average internet user gives their email to so many companies, that this sort of thing can happen at pretty much any time, to pretty much anyone.
Threat actors can use these banks of stolen emails to send malicious links directly to your inbox, or attempt to log into accounts you own in brute-forcing attacks.
In 2023, ensuring you’re alert and staying vigilant when leafing through your email inbox is extremely important. Treat all unverified correspondence with companies through email with extreme caution, especially when they’ve contacted you rather than vice versa.
Use a password manager like NordPass to ensure your password can stand up to any potential brute-force attacks on your accounts. If you take steps like this, you'll limit what a threat actor can actually do with just your email address.