200M Twitter Profiles, with Email Addys, Dumped on Dark Web for Free

Data from 200 million Twitter users has been gathered and put up for free on an underground hacking forum, researchers are warning.Public account details, including account name,

handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The

cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However,

the database also contains email addresses, the firm found — which aren't part of users' public profiles."The availability of the email addresses associated with the listed

accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks," said Miklos Zoltan, founder at Privacy

Affairs, in a blog post. "The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users."While it's unclear how

the email addresses were accessed, Zoltan noted that the "most likely method used could have been the abuse of an application programming interface (API) vulnerability." After all,

at least one past Twitter data leak stemmed from the abuse of a Twitter API, resulting in the linking of phone numbers with Twitter handles. And in August, thousands of mobile apps

were found to be leaking Twitter API keys.Other researchers concur with Zoltan's assessment."API security is the real story here," Sammy Migues, principal scientist at Synopsys,

said in an emailed statement. "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices.

Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures."Twitter has so

far been mum on the developments, and did not immediately respond to a request for comment from Dark Reading.Public Profile Data Scraping Represents Real RiskThe 200 million

Twitter records appear to be the same data set that appeared for sale for $200,000 in underground markets in December, Privacy Affairs added. At the time, there were 400 million

profiles included, but the firm said this latest listing de-duped the database, resulting in a leaner data set with no repeats — and it's now being offered for free to anyone

who wants to download it.Aside from the cyber-danger involved in leaking emails associated with Twitter handles, even the publicly available data could be used for highly targeted