“This database is going to be used by hackers, political hacktivists and of course governments to further harm our privacy,” said Alon Gal, co-founder of Israeli security firm Hudson Rock, who spotted posting to a popular underground market.
The records were likely compiled in late 2021, using a loophole in Twitter’s system that allowed strangers who already had an email address or phone number to find any account that had shared that information with Twitter. These searches could be automated to check an unlimited list of emails or phone numbers.
Twitter said in August that he had learned of the vulnerability in January 2022 through his bug report reward program and that the vulnerability had been accidentally introduced in a code update seven months prior.
In July, hackers were spotted selling a bundle of 5.4 million Twitter accounts and associated emails and phone numbers, which Twitter said was the first to learn that someone took advantage of the loophole.
The much larger data dump was almost certainly compiled the same way and was offered for private sale and circulation for some time prior to the recent release, Gal said.
Ireland’s Data Protection Commission said last month it was investigating the earlier breach and that the EU’s General Data Protection Regulation may have been breached. The new batch is likely to add to the intensity of this investigation and an ongoing investigation by the US Federal Trade Commission into whether Twitter violated consent decrees in which it promised to better protect users. user data. The FTC declined to comment.
Three-quarters of Twitter users live outside the United States and Canada.
Twitter did not respond to an email seeking comment and asking if the company had any advice for users.
Less risky users provided email addresses that were either disposable or not linked to them elsewhere. But even they could be subject to account takeover attempts, phishing or email threats.
In its previous statement, Twitter said it fixed the flaw when it became aware of it, but did not say how long the process took. The January 2022 report came during a chaotic month when the company laid off its two top security officers.
One of them, Peiter Zatko, had argued internally that Twitter was totally unprepared to fend off hacking attempts, and he later filed a formal complaint with the Securities and Exchange Commission and testified about the shortcomings. of Congress.
While 235 million published records rank among the world’s biggest breaches, it’s just the latest in a string of Twitter security disasters dating back more than a decade. Frequent account takeovers led to a 2011 settlement with the FTC that Zatko said the company violated.
While Elon Musk previously used Zatko’s testimony of poor security practices in an unsuccessful attempt to back out of buying the company, he has since fired many of his security officers.