Personal emails linked to 235 million Twitter accounts that were hacked some time ago have been uncovered, according to Israeli security researcher Alon Gal – leaving millions vulnerable to having their accounts compromised or identities exposed if they use the site for example, have used anonymously to criticize oppressive governments.
Gal, co-founder and chief technology officer at cybersecurity firm Hudson Rock, wrote in a LinkedIn post this week that the leak “will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
Although no account passwords have been leaked, malicious hackers could use the email addresses to try to reset people’s passwords or guess them if they are used frequently or reused with other accounts. This is a particular risk when accounts are not protected by two-factor authentication, which adds a second layer of security to password-protected accounts by requiring users to enter an auto-generated code to log in.
People who use Twitter anonymously should have a Twitter-owned email address that doesn’t reveal who they are and is used solely for Twitter, experts say.
Although the hack appears to have happened before Elon Musk took over Twitter, news of the leaked emails adds another headache to the billionaire, whose first few months as Twitter boss were chaotic to say the least.
Twitter did not immediately respond to a message to comment on the hack.
News of the breach could land the company in trouble with the Federal Trade Commission. The San Francisco-based company signed a consent agreement with the agency in 2011, obliging it to close serious data security vulnerabilities.
Twitter paid a $150 million fine for violating the consent order last May, several months before Musk’s acquisition. An updated version introduced new procedures that oblige the company to implement an enhanced data protection program and improve information security.
In November, a group of Democratic lawmakers called on federal regulators to investigate possible violations by the platform of consumer protection laws or its data security obligations.
The FTC said at the time it was “following recent developments at Twitter with great concern,” although no formal investigation was announced. However, experts and current and former Twitter employees have been warned of serious security risks arising from the drastically reduced staff and deepening disarray at the company.
In August, Twitter’s former security chief filed a whistleblower complaint alleging that the company misled regulators about its weak cybersecurity defenses and its laxity in trying to root out fake accounts spreading disinformation.
Among Peiter Zatko’s most serious allegations is that Twitter violated the terms of the 2011 FTC settlement by falsely claiming that it had tightened measures to protect the security and privacy of its users.
© Copyright 2023 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.