A hacker posted data to a notorious forum for breaches and leaks this week allegedly containing information on up to 235 million Twitter users.
The breach, as first reported on Wednesday by data security firm Hudson Rock, contains users’ names, handles, email addresses, follower counts, as well as account creation dates.
The Daily Dot was able to independently obtain a copy of the data and verify the legitimacy of numerous entries. According to the hacker, the data was gathered at some point in 2021 using a now-patched vulnerability that was abused by several threat actors.
The data set is just one of several to appear online in recent months. Another user on the forum attempted to sell what was alleged to be data on more than 400 million Twitter users in December. The hacker this week, however, claimed that his data came from the same source but excluded around 200 million duplicates.
Yet the Daily Dot was able to locate duplicates in the latest data set as well. Analysis of the data set by the web scraping service OsintSupport placed the total number of entries at around 137 million.
Regardless, it is one of the largest breaches in Twitter history.
Another hacker in July of last year attempted to sell data on 5.4 million Twitter users for $30,000, although the cache was ultimately released for free just four months later. Other data sets, including one alleged to contain 17 million entries, have also been circulating online.
The data, specifically the email addresses linked to accounts, could be used by hackers to target Twitter accounts that are not protected by two-factor authentication. The data could also be used to unmask Twitter users who have opted to remain anonymous on the platform, such as human rights advocates overseas.
Despite the enormity of the data, Twitter has failed to release any public statement on the matter.
But the issue did catch the attention of Ireland’s Data Protection Commission, which announced last month that it had begun investigating the issue following the appearance of the data set alleging to contain 400 million entries.