The latest dramatic twist to Twitter’s ongoing chaos under the tumultuous tenure of Elon Musk—a massive data breach of 235 million users’ email addresses, phone numbers, names, and other credentials. The information is now available to anyone on the dark web with a couple extra bucks to spend.
The news, first brought to public attention by The Washington Post on Wednesday evening and subsequently covered by multiple outlets, traces the major security exploitation to 2021—which, admittedly, was well before Musk’s $44 billion purchase of the social media platform in October 2022. The files, posted to an online hacking forum via an anonymous account “StayMad” under the title “Breached,” were reportedly amassed via a former API vulnerability that allowed them to search user info attached to over 200 million accounts. The bug resulted in a “bizarre ‘lookup’ function” that allowed anyone to insert an email or phone number to find out if the credentials were connected to active accounts, per Gizmodo’s rundown on Thursday. “StayMad” is allegedly offering the data trove for the equivalent of $2 in cryptocurrency.
[Related: Former Twitter employees warn of platform’s imminent collapse.]
The API weakness was first discovered in January 2022, thanks to Twitter’s previous implementation of a bug bounty program to encourage crowdsourced security oversight. Twitter publicly announced the issue 8 months later, but assured users the loophole had since been addressed and that there was “no evidence to suggest someone had taken advantage of the vulnerability.”
While it is currently unclear how expansive the fallout will be for Twitter’s latest breach, experts warned WaPo that the exposure could easily be exploited by bad actors like repressive governments seeking to silence, intimidate, or even physically harm dissidents and critical journalists. What’s more, there doesn’t seem to be much victims can do about the situation, unless their accounts were created using dummy emails or burner phone numbers. Concerned users can hypothetically reset their attached email addresses, although doing so for phone numbers is usually far more difficult and potentially expensive.
Twitter, for its part, hasn’t said anything regarding the news since its reveal earlier this week. Much of the social media platform’s security experts and teams have been axed since Musk’s takeover, as well as the company’s entire PR department.