235 million Twitter accounts and the email addresses they were registered with was posted on an online hacking forum.
How this can be used
Security experts believe that this data hack poses threats of exposure, arrest or violence against people who spoke out against governments or powerful individuals.
There is also the risk of extortion since the hackers could also use email addresses to reset passwords and take over accounts, especially those not protected by two-factor authentication.
Alon Gal, co-founder of the Israeli security company Hudson Rock, who spotted the posting on a popular underground marketplace warned that the database could be used not just by hackers, but also political hacktivists and governments to further weaken security.
Goes back to 2021
These records were likely compiled in late 2021 when outsiders who already had an email address or phone number could search for accounts that had shared it with Twitter.
This happened because of a flaw in Twitter’s system.
An unlimited number of emails or phone numbers could be checked through automated lookups.
Flaw allowing automated lookups
The first time Twitter learned that someone had exploited the flaw was in July when hackers sold 5.4 million account handles, emails and phone numbers.
It said in August that it discovered the vulnerability in January 2022 through its reward program for bug reports.
The vulnerability had been accidentally introduced in a code update seven months before that.
Under heightened scrutiny
Ireland’s Data Protection Commission said last month that the General Data Protection Regulation of the European Union may have been broken.
The fresh batch is probably going to increase the intensity of that investigation along with an ongoing U.S Federal Trade Commission investigation into whether Twitter has been infringing on consent decrees in which it vowed to better protect user data.
The platform previously stated that it fixed the bug as soon as it was caught, but did not specify how long the process took.
Getting rid of security experts
This happened during a turbulent month in which the business sacked both of its senior security officers.
One of them, Peiter Zatko, who led the information security team said that Twitter has been grossly unprepared to fend off hacking attempts.
In August 2022 he also filed a formal whistleblower complaint with the Securities and Exchange Commission and testified about the deficiencies in Congress.
History of poor security
Although the latest data leak is among the biggest ever, it is just the most recent in a string of security lapses that go back more than a decade.
Zatko said that the business has been breaking a 2011 settlement with the FTC over frequent account takeovers.