Hacked! My Twitter user data is out on the dark web – now what?
While trolling through the dark web this week, I found my Twitter account data.
A dark website this month released a dataset of 200 million Twitter profiles. That’s where I found my account data. I know my data had not been exposed in previous releases because I had checked then. In my business, I take safety seriously.
On Wednesday, Twitter said that “there is no evidence that data recently sold was obtained by exploits a vulnerability in Twitter systems.”
The company suggests that the recently disclosed December and January account data (yes, this is the second most recent release) is “likely a compilation of data that is already publicly available online through various sources.”
Sure, Twitter has already admitted that there was a leak of user data, which was reported in November 2022. But according to Twitter, it was all data of approx. 5.4 million user accounts that had been exposed in August. That is still 5.4 million too much.
This data appears to have come from a hack from 2021. In that attack, a hacker abused an application programming interface (API). With it, email addresses were linked to Twitter profiles. The results include public Twitter profile data, such as name, username and number of followers.
Also: Hackers use this old trick to avoid security measures
So far, so, relatively harmless. But then the attacker used another API to scrape that data and used it to extract private email addresses and phone numbers. The resulting data of approximately 221,608,279 users has been released as a RAR archive. Within it, you’ll find half a dozen text files that add up to 59GB of user data.
According to Have I Been Pwned (HIBP) founder Troy Hunt, 211,524,284 unique email addresses have been exposed. And now, whether from the known leak or not, mine has too. American Express and Experian IdentityWorks have both contacted me to tell me that my data has been exposed.
How can you find out if your account information has been exposed? Run your email address through Have I Been Pwned. If you see the message below, it means your data has been exposed.
Also: How to secure your Twitter account without two-factor authentication
What to do if your Twitter data was compromised
So what can you do about it if your Twitter data is out there too? Well, as American Express told me, be even more vigilant than usual about possible phishing and spam attacks. For example, if you get an email promising you great pet insurance for your dog Spot and you’ve shared a lot of pictures of Spot on Twitter, take a long, hard look at the note before responding to it. Look especially carefully at any URLs in these messages.
People will use your personal information against you. It’s that simple. It’s so ugly.
If you think you’ve already been hacked, check your computer or smartphone with a high-quality antivirus program. Actually, do it anyway. This is not the time to take chances.
You should also remember that in addition to “public” information, semi-private information such as date of birth, phone number, address, hometown and the ever-popular “security question”, your mother’s maiden name, may also be at play.
That means it’s time to go through your most important accounts and change their security questions. While you’re at it, turn on two-factor authentication (2FA) on all your services. It’s just smart, whether you’ve been hacked this time or not.
In particular, if you’re still on Twitter, turn on 2FA. Don’t use text messaging, also known as SMS, as the second factor. The Twitter microservice that delivered SMS messages broke in November, and it’s still working. Instead, switch your 2FA method from text to email, an authenticator app, or a physical security key, such as a YubiKey.
You should also, as I’ve recommended before, stop using Twitter authentication to log into other sites. That’s just asking for trouble.
Finally, I have warned of major problems from Twitter since Musk took over. Account data leaks like this are a huge red flag. Consider deleting your Twitter account and switching to another, more trusted social network.