In January 2023, a database concerning over 200 million Twitter users was published on a notable hacker forum. This data included names and email addresses, but does not appear to include passwords or other highly sensitive information. This hack follows a string of similar leaks, all obtained via the same API vulnerability identified in late 2021.
Below, we’ll dig into the full history of data breaches, security issues, and privacy violations at Twitter.
January 2023: Database of Over 200m Twitter Users Goes Public
Following a string of ransom attempts and leaks, a trove of data on over 200 million Twitter users circulated among hackers in December 2022, and was published in full on BreachForums on January 4th. This data includes email addresses, names, and usernames, but does not appear to include passwords or other highly sensitive data.
This data was originally scraped by exploiting an API vulnerability that was exposed from June 2021 to January 2022. This vulnerability was exploited repeatedly by different hacker, and resulted in multiple ransomware attempts and leaks in the latter half of 2022. Most recently, a hacker known as Ryushi attempted to ransom the data for $200,000 in late December.
Some reports have pegged the number of compromised accounts as high as 400 million, but after removing duplicates, the final number appears close to 210 million. It does include data on a number of high-profile accounts, such as those of Alexandria Ocasio-Cortez, Donald Trump Jr, and Mark Cuban.
November 2022: Hacker Publishes Data on 5.4 Million Twitter Users
On November 24th, a hacker published data including email addresses and phone numbers of 5.4 million Twitter users on a hacker forum. This hacker had exploited an API vulnerability in late 2021 to scrape this data, and attempted to sell it for $30,000 in July 2022. But those 5.4 million users were not only ones affected; as detailed above, north of 200 million Twitter users were ultimately implicated in a related data leak.
August 2022: Whistleblower Alleges “Egregious Deficiencies” in Cybersecurity at Twitter
On August 23, Twitter’s former head of security, Peiter “Mudge” Zatko, went public with allegations that the company’s cybersecurity practices were woefully insufficient. In the 200-page complaint he filed with the SEC on July 6, he described “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”
Per Zatko’s account, Twitter’s leaders, including CEO Parag Agrawal, misled federal regulators and their own board of directors regarding security at the company. He alleged that the platform was vulnerable to foreign hacking, allowed hundreds of engineers broad access to change Twitter’s algorithm in real time, and did not follow through on user’s requests to delete their data. Zatko emphasized a high rate of security incidents: per his description, the platform averaged one serious breach a week.
Twitter disputed Zatko’s claims, and described his account as “a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.” They asserted that he had been fired in January 2022 “for ineffective leadership and poor performance.” This runs counter to Zatko’s assertion that he was forced out after speaking up to Twitter’s board regarding these security issues.
According to Zatko, Twitter is in violation of its 2011 agreement with the FTC, which barred the company from misleading its users on security and privacy. Zatko’s allegations are likely to prompt fresh scrutiny by the FTC and other government agencies; senators Dick Durbin and Chuck Grassley, both ranking members of the Senate Judiciary Committee, have already vowed to investigate the company.
Zatko also said that Twitter lied to Elon Musk regarding bots on the platform. His allegations are sure to complicate an already tense legal standoff, as Musk tries to back out of his deal to buy the company.
August 2022: Former Twitter Employee Found Guilty of Spying for Saudi Arabia
In August 2022, a federal jury in California found a former Twitter employee guilty for acting as an unregistered agent of the Saudi government. The jury found that Ahmad Abouammo had used his position at Twitter to investigate Saudi dissidents and convey information on them to Bader al-Asaker, an aide to Saudi Crown Prince Mohammed bin Salman.
Abouammo first met Asaker in May 2014 at Twitter’s San Francisco headquarters. The two men met again in London that December, when Asaker allegedly gave Abouammo a luxury watch and at least $20,000 in cash. Before long, Abouammo began relaying information on Saudi dissidents to Asaker. In total, Abouammo is alleged to have received over $300,000 in payment for helping spy on Saudi dissidents.
July 2022: Hacker Posts Data on 5.4 Million Twitter Users For Sale
On July 21st, 2022, a hacker under the alias ‘devil’ posted on BreachForums that they had obtained personal data on 5.4 million Twitter users, including email addresses and phone numbers. The hacker had apparently exploited a vulnerability to scrape this data from Twitter, and posted it for sale with an asking price north of $30,000.
The vulnerability was first identified in January 2022 by the white hat hacker Zhirinovskiy. Twitter apparently patched up the vulnerability – but on August 5th, they acknowledged that it played a part in the July data breach:
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
Twitter has notified most of the accounts affected – though they also acknowledged that they could not confirm all of the accounts that were compromised in this data breach.
July 2020: Hacker Takes Over High-Profile Accounts in Bitcoin Scam
While small in scale, one of the most widely covered Twitter security breaches occurred in July 2020. It involved a hacker that targeted the accounts of approximately 130 high-profile individuals, including Elon Musk, Bill Gates, Barack Obama, and Kanye West.
Once the hacker obtained access to a target account, they posted scam messages involving Bitcoin, claiming the account holder was “giving back” to their community by doubling all Bitcoin sent to their address and sending those funds back to the sender.
The attackers accessed the accounts by using Twitter internal administration tools to bypass some security measures, indicating that the hacker was using Twitter’s own system. The hackers were able to obtain over $100,000 in transfers as a result of this incident.
In a blog post following the incident, Twitter described the incident as a social engineering attack, in which the hacker obtained employee credentials via phone spear phishing tactics. Once the attacker obtained some employee credentials, they used those credentials to obtain increasing levels of access, culminating in their takeover of various high profile accounts.
November 2019: Data from Hundreds of Twitter Accounts Exposed
While the incident was small-scale, hundreds of Twitter users learned in November 2019 that some of their personal data was exposed. The One Audience development kit allowed developers to access usernames and email addresses. If a Twitter user used their Twitter account to log into an impacted app, the developer could see a limited amount of personal information, as well as some recent tweets.
The incident was very limited, impacting only a few hundred individuals with Android devices. Both Twitter and Facebook accounts were affected.
After learning of the issue, Twitter notified the affected users. Additionally, Google was alerted to the incident, allowing the company to take action if necessary.
November 2019: Two Former Employees Charged with Spying
In November 2019, two former Twitter employees were charged with spying for Saudi Arabia. They were accused of exploring and gathering personal information on specific users at the behest of the foreign nation, focusing on accounts that were critical of the Saudi Arabian government. However, other account data was potentially exposed as the spies compiled some data in bulk.
Twitter stated that it limited access to sensitive information among its staff. However, these two employees succeeded in accessing private account details, despite lacking the official authorization to do so.
October 2019: Twitter Uses Data Provided for Two-Factor Authentication for Ad Targeting
In October 2019, a privacy issue involving phone numbers and other data provided to Twitter for two-factor authentication came to light. The company said it mistakenly incorporated phone numbers and email addresses provided for two-factor authentication into its ad systems, namely its Tailored Audiences and Partner Audiences.
While the personal information was directly provided to marketers, it was used for ad targeting purposes. Essentially, the contact details were factored into a larger equation to determine if a user was part of a marketer’s target audience without the user’s consent.
Twitter handled the cause of the data leak in September 2019, though it didn’t make the incident public until approximately three weeks later. The exact scope of the incident wasn’t clear. Additionally, it isn’t fully known how long the issue occurred.
December 2018: Twitter Security Flaw Leaks User Phone Number Country Codes
In December 2018, reports emerged describing a security flaw that exposed the phone number country codes of Twitter users. This potentially allowed malicious actors to determine the countries accounts were based in, something that could have ramifications for political dissidents, protestors, whistleblowers, activists, and other users who may be targeted for retaliation or silencing.
The issue stemmed from a support form, potentially giving others the ability to find out the country code associated with an individual account. It isn’t clear how many times the security flaw was used to gain information on other users.
While the issue wasn’t announced publicly until December 2018, reports indicate a security researcher informed Twitter about the problem two years prior by filing a bug report. However, that report was closed without action after Twitter deemed it wasn’t a “significant security risk.”
May 2018: Bug Leaves 330 Million Passwords Exposed
In May 2018, Twitter advised every user to change their password after the company discovered a bug that left passwords exposed in an internal system. While there was no evidence of a breach or misuse, the passwords were unencrypted in an internal log, making them readable to anyone who accessed that system.
Since the glitch potentially impacted every user, the company recommended that everyone with a Twitter account change their password as a precaution. The company also rectified the issue and took additional steps to avoid the bug in the future.
February 2013: Hack Leaves 250,000 Accounts Compromised
In February 2013, Twitter announced a security incident that potentially impacted around 250,000 users. The company said that attackers were able to gain access to account information, specifically user names and email addresses.
Twitter became aware of an issue after it detected signs of an attack about a week prior to the announcement. That activity led to a braoder investigation which made the company aware of the larger breach, namely, unauthorized access attempts.
While Twitter was able to stop one attack in progress, the investigation revealed that other accounts might have been compromised, with a limited amount of user data becoming available to the attackers. In response, Twitter revoked session tokens and forced password resets, ensuring impacted users would update their passwords before accessing the site moving forward.
Twitter wasn’t highly specific regarding what allowed the attack to occur, only quickly referencing a Java vulnerability. At the time of the incident, it wasn’t clear who was behind the hack.
April 2009: Hacker Breaches Twitter Administrator Account
In April 2009, a hacker guessed a Twitter administrative password after gaining access to an employee’s personal email account and finding two other passwords stored there in plain text. Once inside the system, the hacker changed at least one Twitter account password. Additionally, while it isn’t clear whether any information was gathered, the attacker would have had access to nonpublic information on essentially any account.
January 2009: Hacker Hijacks 33 High-Profile User Accounts
In January 2009, a hacker used an automated password-guessing tool to access the Twitter administrative control panel. The password used was considered a weak password, being an all-lower-case word you can find in the dictionary.
Since Twitter allowed an unlimited number of password attempts and didn’t flag a high number of attempts happening in quick succession, the hacker gained entry. Once inside, the hacker would change the passwords associated with various accounts, allowing others to gain access. In total, 33 accounts were compromised, and many were used to post messages that weren’t written by the account holder.
This incident – along with the one in April 2009 – led charges from the FTC. Twitter ultimately settled.