Personal email addresses from 235 million Twitter accounts hacked over the last several years have been exposed, according to Israeli security researcher Alon Gal — making many vulnerable to having their accounts further compromised or identities exposed if they have used the site anonymously to criticize oppressive governments, for instance.
Fortunately, passwords were not leaked, however malicious hackers can use the email addresses to try to reset people’s passwords – which often works – or guess them if they are commonly used. That’s especially a risk if the accounts are not protected by two-factor authentication, which creates additional security for password-protected accounts by having users enter an auto-generated code to log in.
People who use Twitter anonymously need to have a Twitter-dedicated email address that does not disclose who they are, and is used only for Twitter, experts say.
Although the hack seems to have taken place before Elon Musk bought Twitter, the news of the leaked emails adds a new headache for the billionaire, whose first couple months as head of Twitter have been chaotic, to say the least.
The news of the breach could alsoget the company in trouble with the Federal Trade Commission. The San Francisco company signed an agreement with the agency in 2011 that requires it to address any serious data-security failures.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Twitter paid a $150 million fine last May, a few months before Musk’s takeover, for violating the FTC agreement. An updated version established new procedures requiring the company to implement an enhanced privacy-protection program as well as beefing up information security.
In November of 2022, a group of lawmakers asked federal regulators to investigate for any possible violations by Twitter of consumer-protection laws, or of its data-security commitments.
The FTC said at the time it is “tracking recent developments at Twitter with deep concern,” though no formal investigation has been announced. But experts and current and former Twitter employees have been warning of serious security risks flowing from the drastically reduced staff and deepening disorder within the company.
In August, Twitter’s former head of security, Peiter Zatko, filed a whistleblower complaint alleging that the company misled regulators about its poor cybersecurity defenses and its negligence in attempting to root out fake accounts that spread disinformation.
Among Peiter Zatko’s most serious accusations is that Twitter violated the terms of the 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.