A growing Twitter data breach concerns millions of users
Reports are piling up about a major security incident affecting roughly 235 million Twitter accounts. This week, details surfaced on a well-known forum indicating that emails linked to these accounts have been exposed. Hackers are said to be auctioning this data for around two dollars a bundle, intensifying worries about mass phishing and targeted attacks.
Security researchers and observers flagged the disclosure after notes from Alan Gal, co-founder of the Israeli security firm Hudson Rock, highlighted the scope. He stated that the database comprises 235,000,000 unique user records and associated email addresses. He warned on LinkedIn that the leaked data could fuel a wave of attacks, including phishing and doxxing.
Earlier in the year, Twitter faced a separate crisis under the leadership of its current executives. In a separate incident from 2022, the platform acknowledged a security breach that impacted a portion of user data. Twitter reported that the vulnerability was identified in January 2022 and promptly patched, with assurances that no highly sensitive personal information was compromised and that affected account owners would be notified. This history underscores ongoing concerns about safeguarding user data at scale.
“Serious Threat”
Since the previous year, hacker groups have continued to disseminate and monetize stolen datasets that combine email addresses with phone numbers. Security professionals have described this pattern as a serious threat because the data can be filtered, aggregated, and sold on public-facing portals, giving any capable actor a foothold for more serious cyberattacks against Twitter users.
Experts warn that such data can enable a range of cyber actions, from identity theft to spear phishing campaigns and the delivery of malware through deceptive links. The ease of access to both contact details and behavioral signals increases the potential impact for individual users and broader communities alike.
Investigations suggest that some datasets were assembled by exploiting weaknesses in publicly exposed data streams and API configurations. Analysts note that combining publicly available information with leaked private data can create richer user profiles, amplifying the risk to privacy and security. The finding has prompted renewed calls for tighter API controls and stronger data protection practices across platforms.
Regulators have begun to act as well. In December, the Irish Data Protection Commission issued a formal request urging Twitter to inform millions of users about the widespread data exposure and to outline the steps taken to mitigate ongoing risk. The episode has broader implications for the European Union’s privacy framework and its enforcement priorities for major social networks.
In the wake of the disclosures, security teams emphasize practical steps for users. These include enabling multifactor authentication, monitoring for unusual account activity, and being vigilant for phishing attempts that leverage known email addresses and phone numbers. Service providers are urged to review API permissions, audit data access practices, and implement rate limiting and anomaly detection to reduce the chance of further data leakage.
While the exact scope of compromised data remains under assessment, the consensus among researchers is clear: the combination of emails and phone numbers in the hands of malicious actors represents a tangible risk to individual privacy and digital security. Users are advised to remain cautious about unsolicited messages and links, and to report suspicious activity through official channels when available. The broader security community continues to monitor the situation and advocate for stronger protections across social platforms. [citation]