Twitter claims there’s ‘no evidence’ 200 million leaked usernames and email addresses came from an exploit of its systems

A database posted online claims to reveal more than 200 million associated Twitter usernames and email addresses. Now, several days after the initial reports, Twitter says the “dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”

According to reports from security researchers and media outlets including BleepingComputer, the credentials in the leak were compiled from a number of earlier Twitter breaches dating back to 2021. According to Twitter, however, there is “no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”

Its statement addresses the information in the datasets only by saying, “The data is likely a collection of data already publicly available online through different sources.”

The Verge contacted Twitter for additional clarity about the accuracy of the records in the leaks, but Twitter does not have a functioning press office since being acquired by Elon Musk.

5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.

400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.

200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.

Both datasets were the same, though the second one had the duplicated entries removed.

None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.

“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.” The datasets don’t contain passwords, as experts and Twitter have pointed out, but email addresses can still be especially useful for hackers targeting specific accounts.

Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.

Troy Hunt, creator of the cybersecurity alert site Have I Been Pwned, also analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”

The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.

The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups — entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.

Twitter disclosed this vulnerability in August 2022, saying it had fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” but cybersecurity experts had already spotted databases of Twitter credentials for sale in July of that year.

The company also said on Wednesday that its investigations showed that around 5.4 million user accounts had been exposed in November. That appears to be the only dataset it’s attributing to the years-old vulnerability, which went unnoticed by Twitter for roughly seven months.

The breach is only the latest cybersecurity debacle to affect Twitter, which has long struggled to protect its users’ data. The company is already being investigated by the EU for the breach (based on first reports in July 2022) and is being probed by the FTC for similar security lapses. Last August, Twitter’s former head of security turned whistleblower on the company, Peiter “Mudge” Zatko, filed a complaint with the US government in which he claimed that the company was covering up “egregious deficiencies” in its cybersecurity defenses.

Update January 11th, 4:05PM ET: Added Twitter’s response to the incident claiming there’s no evidence linking most of the leaked IDs to data from its systems.