Skip to main content

Twitter’s 200 Million-User Email Leak: What to Know and How to Protect Your Info

  |  Dashlane

Twitter is no stranger to cybersecurity incidents, as evidenced by the platform’s infamous hack in 2020 when a hacker posed as the company’s IT department and duped its employees. 

The social media giant was recently targeted once again, and though users are just now learning of the full reach of the cyberattack, reports indicate that the incident is linked to a 2021 security vulnerability.

The timeline

An update to Twitter’s code in June 2021 introduced a vulnerability, or bug, in Twitter’s API (application programming interface), making it possible for hackers to scrape the platform’s public database and link usernames to associated private email addresses and phone numbers. 

In a statement from Twitter in August of 2022, the platform shared the details of the security vulnerability, informing users that between June 2021 and January 2022, anyone could submit an email address or phone number to Twitter’s systems to reveal the username associated with that phone number or email address. At the time, the platform claims there was no evidence suggesting hackers had maliciously leveraged the information. 

In July of 2022, however, Twitter learned that threat actors were offering to sell the information collected during the 2021 breach. 

Though the bug in Twitter’s API was fixed in January 2022, affected users’ email addresses and phone numbers have been circulating in forums. A database containing 5.4 million email addresses phone numbers was circulating over the summer of 2022 and, before being released for free, was for sale for $30,000. According to WIRED, the incident is being investigated by the Irish Data Protection Commission and the U.S. Federal Trade Commission, which is trying to determine whether Twitter violated an agreement to improve user privacy. One Twitter user is suing the platform over the breach.

On January 4, 2023, a cybercriminal forum, Breached, published more than 200 million email addresses obtained through the API scrape, available for less than $2 total.

Your data is worth more than that. Get Dashlane to monitor your email on the dark web.

The cybercriminals, who have not yet been identified, have exposed hundreds of millions of email addresses—the former bounty of 5.4 million phone numbers and email addresses combined, but the most recent data set exclusively includes email addresses. The original estimated number of affected emails was greater but has dwindled to 200 million once duplicates were removed. However, security watchdog Bleeping Computer claims to have found duplicates still in the most recent data set. 

How to know if your email address was exposed 

Users who have a separate email address for Twitter have likely not been affected by the data leak. Hackers used data from previous breaches and input them into Twitter’s non-secure API to reveal associated usernames. This means that an email address that has been previously exposed, whether through the Twitter hack or other breaches, could be included in the dataset. 

Users can type their work email addresses into Business Breach Report to learn if they have been compromised and during which breach. 

What personal information is affected?

Though email addresses are the only data exposed in Twitter’s most recent breach, cybercriminals were able to link email addresses to public data, including usernames, names, and social media profiles. 

This is particularly significant for users who wish to remain anonymous on Twitter, and cybersecurity experts predict potential doxxing and targeted phishing attacks as a result. 

Steps to take now if your email address was exposed:

Users affected by the data leak should take these extra steps to protect their personal information:

  1. You might be a target for phishing scams. Refresh yourself on how to identify a phishing scam with these tips
  2. Replace the affected account passwords with a new, random one. We recommend using a secure password generator. If you want to change your username, use a username generator.
  3. Save your new password in an encrypted password manager like Dashlane.  
  4. Enable 2-factor authentication on your Twitter account—though passwords weren’t exposed in the data leak, multifactor authentication can help protect against unauthorized logins. 
  5. Take advantage of Dashlane’s Dark Web Monitoring and scan the dark web to see if any other accounts were affected with that email. Dashlane customers can set up Dark Web Monitoring for up to five email addresses and be instantly notified if their information has been exposed in a security breach.

Software breaches can happen, even to advanced security and software teams. We recognize the hard work of the IT department at Twitter as they work to resolve the incident.

Twitter user or not, you should know when your email is compromised.

Start protecting yourself with a free trial on Dashlane.

Sign up to receive news and updates about Dashlane