200M Twitter Profiles, With Email Addys, Dumped on Dark Web for Free

A data dump of Twitter user details on an underground forum appears to stem from an API endpoint compromise and large-scale data scraping.

Data from 200 million Twitter users has been gathered and put up for free on an underground hacking forum, researchers are warning.
Public account details, including account name, handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However, the database also contains email addresses, the firm found — which arent part of users public profiles.
The availability of the email addresses associated with the listed accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks, said Miklos Zoltan, founder at Privacy Affairs, in a
blog post
. The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users.
While its unclear how the email addresses were accessed, Zoltan noted that the most likely method used could have been the abuse of an application programming interface (API) vulnerability. After all, at least
one past Twitter data leak
stemmed from the abuse of a Twitter API, resulting in the linking of phone numbers with Twitter handles. And in August, thousands of mobile apps were found to be leaking
Twitter API keys
.
Other researchers concur with Zoltans assessment.

API security
is the real story here, Sammy Migues, principal scientist at Synopsys, said in an emailed statement. As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures.
Twitter has so far been mum on the developments, and did not immediately respond to a request for comment from Dark Reading.
The 200 million Twitter records appear to be the same data set that appeared for sale for $200,000 in underground markets in December, Privacy Affairs added. At the time, there were
400 million profiles included
, but the firm said this latest listing de-duped the database, resulting in a leaner data set with no repeats — and its now being offered for free to anyone who wants to download it.
Aside from the cyber-danger involved in leaking emails associated with Twitter handles, even the publicly available data could be used for highly targeted attacks.
Specifically, it can be cross-referenced with other data that a user may have shared across platforms to create a 360-degree view of a person — their interests, their likes, the social circles they run in, and even corporate activity (remember, Twitter handles are often used on corporate sites in lieu of direct contact info — and can thus act as metatags that attackers can use to track the users web presence, far outside of Twitter itself).
In this case, since so much data is collected in volume in a handy database, this process, and the attacks it can engender, can now be automated. This can be a real problem not just for social media users but the platforms themselves — both
Facebook
and
LinkedIn
have faced fines and general hot water for past data-scraping incidents. And, who can forget the formers
Cambridge Analytica scandal
, in which a mind-boggling number of public user profiles and posts were scraped and used to target political messaging to site users.
As far as how to protect oneself from any follow-on cyberattacks (or influence targeting), best practices still apply, according to Jamie Boote, associate software security consultant at Synopsys.
As always, malicious actors have your email address, he said, via email. To be safe, users should change their Twitter password and make sure its not reused for other sites. And from now on, its probably best to just delete any emails that look like theyre from Twitter to avoid phishing scams.
Theres also a cautionary tale to be had in terms of being careful with what one publicly shares on social media, to avoid making it easy for cyberattackers to build rich-data profiles.
And Privacy Affairs Zoltan offered another lesson to be learned: While not a very popular method at the moment, it would also be useful to use burner email addresses or separate email addresses for online accounts while forwarding emails to a master address. This way, even if the email address associated with a Twitter or any other account is leaked, it can’t be associated with the end-user’s identity or other online services.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
200M Twitter Profiles, With Email Addys, Dumped on Dark Web for Free