"Twitter claims there’s ‘no evidence’ 200 million leaked usernames and email addresses came from an exploit of its systems", 11 January 2023

A database posted online claims to reveal more than 200 million associated Twitter usernames and email addresses. Now, several days after the initial reports, Twitter says the “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”

According to reports from security researchers and media outlets including BleepingComputer, the credentials in the leak were compiled from a number of earlier Twitter breaches dating back to 2021. According to Twitter, however, there is “no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”

Its statement addresses the information in the datasets only by saying, “The data is likely a collection of data already publicly available online through different sources.”

The Verge contacted Twitter for additional clarity about the accuracy of the records in the leaks, but Twitter does not have a functioning press office since being acquired by Elon Musk.

“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data on LinkedIn.

Estimates of the exact number of users affected by the breach vary... Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.

Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”

The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.

The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups — entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.

Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July of that year.

The company also said on Wednesday that its investigations showed that around 5.4 million user accounts had been exposed in November. That appears to be the only dataset it’s attributing to the years-old vulnerability, which went unnoticed by Twitter for roughly seven months.