200 Million Twitter Users’ Data for Sale on the Dark Web for $2

Twitter—currently a company enduring more than one major headache—has a pretty bad data breach on its hands. It could impact hundreds of millions of users and lead to major security issues for the platform but, despite its severity, it’s been easy to miss amidst the flood of other scandals and controversies plaguing the social media giant. Still, if you use the bird app, this is one mess you’re definitely gonna want to pay attention to, as it might affect you directly, unlike Elon Musk’s c-suite uproar.

The short version is this: data stolen from Twitter more than a year ago found its way onto a major dark web marketplace this week. The asking price? The crypto equivalent of $2. The hacker who posted the data haul, a user who goes by the moniker “StayMad,” posted the data to the market “Breached,” where anyone can now purchase and peruse it. The cache is estimated to cover at least 235 million people’s information.

While a lot of details are still missing from this unfortunate saga, we’ve pulled together a short rundown on what you might need to know about Twitter’s security debacle, the latest in a long string.

What information was compromised?

According to multiple reports, the breach material includes the email addresses and/or phone numbers of some 235 million people. This information has been paired with details publicly scraped from users’ profiles, thus allowing the cybercriminals to create more complete data dossiers on potential victims. Bleeping Computer reports that the information for each user includes not only email addresses and phone numbers but also names, screen names/user handles, follower count, and account creation date. In short: anybody who buys the haul from “Breached” will have the contact and partial login information for any impacted Twitter user. Not only is this a potential security issue for those accounts, it’s a major privacy violation for anybody who doesn’t want random dark web goons to have access to their contact info.

How and when did this happen?

The data that appeared on “Breached” this week was actually stolen during 2021. Per the Washington Post, cybercriminals exploited an API vulnerability in Twitter’s platform to call up user information connected to hundreds of millions of user accounts. This bug created a bizarre “lookup” function, allowing any person to plug in a phone number or email to Twitter’s systems, which would then verify whether the credential was connected to an active account. The bug would also reveal which specific account was tied to the credential in question.

The vulnerability was originally discovered by Twitter’s bug bounty program in January of 2022 and was first publicly acknowledged last August. In a blog post, the company said that the bug had been the result of an update to its code that took place in June of 2021. At that point, the company told users that it had “no evidence to suggest someone had taken advantage of the vulnerability” though, as it turns out, they were totally wrong.

It’s unclear exactly when cybercriminals discovered this bug and began exploiting it but what we do know is that, by the time the platform caught on, the hackers had already stolen data from a shitload of people. That said, the total amount of information inside the “Breached” haul that is authentic is unknown. Analysts and journalists have tested portions of the data and found it to involve real accounts.

Who is behind the hack?

We don’t know. The identities of the cybercriminals behind the data breach are unknown, and it’s unclear whether they have ties to a well-known hacker group or threat actor. The user who posted the 200 million profile haul on Breached goes by the moniker “StayMad,” but little is known about them outside of that. While we might not know who is responsible for the data breach, security experts have speculated that cybercriminals could use the stolen data to conduct a whole slew of unsavory activities. Experts have estimated that the information could be used for account takeover attempts, as well as phishing and harassment of affected users.

What has Twitter done about it?

As far as we can tell, Twitter has done almost nothing about the most recent iteration of this data breach. After acknowledging the API bug last summer, the company hasn’t offered many updates, nor has it commented on the recent listing of user data for sale. Gizmodo reached out to the company on Thursday for comment about the “Breached” incident but did not hear back. Twitter no longer has a public relations department after Elon’s layoffs. We will update our story if the platform decides to ever address the security debacle.

What You Can Do

Unfortunately, there’s not much you can do. Unless you buy the data yourself and sift through it, it’s not clear how you would verify whether you were impacted or not. However, if you’re concerned that your data may have been exposed, one recommendation would be to burn the account credentials that may have been affected by the breach. An email address can be easy to change but an exposed phone number is a little more complicated. Phone numbers are less discardable than emails—though you can always contact your cellular provider and request a phone number change if you’re worried about your privacy. At the same time, you should change the email address and/or phone number associated with your Twitter account and employ multi-factor authentication that puts the account’s security firmly in your hands (that’s how it’s supposed to work, anyway).