Someone has posted a database of over 200 million email addresses for Twitter accounts on the dark web and is selling it for a handful of dollars — just $2.
according to Beep computerwhich managed to confirm the authenticity of at least some of the email addresses published in the ad, is not a new leak, but rather a recycling of data previously leaked through flawed API calls.
Back in 2021, a Twitter API vulnerability was discovered that allowed threat actors to enter email addresses or phone numbers into Twitter to see if they were associated with an active Twitter account. Some of you may recall that when trying to log into Twitter with a valid email address or phone number, even if the password was incorrect, the platform still displayed the ID and profile name of the account associated with those credentials.
Clean up old bugs
The hackers then used a separate API to scrape public Twitter data for IDs and cross-referenced it with email data to generate a list of Twitter accounts.
A year later, in 2022, threat actors will start selling databases generated in this way. The initial database, containing more than 5 million entries, is up for sale in mid-2022 for $30,000. The database was then reduced to 400 million entries (probably after removing duplicates, fake accounts, etc.), and now it’s exactly 221,608,279 rows.
Still, the publication found that the database also had duplicates and wasn’t completely clean.
In total, the threat actors released a set of six text files combined in a single .RAR archive weighing approximately 59GB.
Each line in the file is identified with some (opens in a new tab)– Related information: Twitter users and their email addresses, names, Twitter handles, number of followers, and creation dates. Previous leaks also showed whether accounts were verified, which this database did not.
pass: Beep computer (opens in a new tab)