Data of over 200 Million users containing private email and phone numbers have been reportedly sold in the black market. Officials from cybercrime intelligence firm Hudson Rock quoted as saying that it is “one of the most significant leaks I’ve seen.” on twitter. They found out that the database that was leaked contained an overwhelming amount of information such as emails, phone numbers, and more including those of even high profile users such as Kevin O ‘ Leary, AOC, and others.
Twitter has yet to comment on the report.
Earlier around August 5th, 2022 on its website, Twitter released a statement on where they informed the public about a vulnerability that they had discovered in their systems through a bug bounty program that they had been running.
In the same press release they also shared guidelines on how to keep accounts protected. Here is what the press release said:
What happened
On January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.
Read more about how to protect yourself in our cybersecurity guide for beginners
