Woman looking worried.

Twitter user data leaks continue to drip from the faucet

Things aren’t going so well for Twitter at the moment. Word has spread of multiple incidents related to user data being scraped, both public and private. Worse, the private data could have potential security implications for people where being as anonymous as possible is one of the things keeping them safe from potential harm.

Grabbing your Twitter phone number and email address

This story is actually several stories rolled into one. It all dates back to 2021, when researchers discovered that people could discover who operates a Twitter account by searching for email or phone number. This is important, because those settings located in…

Settings & Support > Settings & Privacy > Privacy & Safety > Discoverability & Contacts

…give users the option to allow or disallow people who have your phone number or email to find you on Twitter. If someone has a workaround to essentially ignore these settings, this is risky for all sorts of reasons including:

  • Cases of domestic abuse, stalking or harassment.

  • Hostile governments with draconian social media rules.

  • Social engineering and phishing threats.

At the time, that issue was fixed by Twitter staff. So far, so good. Wind forward to 2022 and things all go a bit wrong in retrospect.

Exploited for fun, and possibly profit

A media report in July this year revealed that the vulnerability might have been exploited by someone, with them even potentially trying to sell the scraped information. How much data and how much money? $30,000 for around 5.4 million accounts.

It’s now claimed that more than one version of this data is out there somewhere, accessed by several bad actors. The data allegedly includes Twitter users from parts of the US, the EU, and the UK.

This is already bad enough, but security pro Chad Loder cited a bigger data dump allegedly created using the same issue. Bleeping Computer confirmed the data contains Twitter ID, screen name, location, URL, follower count, account creation date, and more. This is all publicly available information. However, it also includes the phone number and private email data too. Furthermore, it’s confirmed that this data dump’s phone number collection is not in the original leak.

To breach or not to breach, that is the question

There are some interesting debates to be had as to whether or not this constitutes a breach. It’s also a concern that the “find me by phone or email” options are enabled by default, and that numbers are often required to be added after temporary suspension. Guess which option was found to be enabled by default once this user added a mobile number?

Whatever you call it, people affected may well be at risk from this one. Yes, the data has potentially been up for grabs for a while, but immediate impacts aren’t always felt from issues along these lines. There’s currently no easy way to verify if you’re in any of these data dumps. It’s possible you may find a searchable service like Haveibeenpwned lending a helping hand at some point in the future.

For now, there are some limited options ahead of you. Note that many of the below are short term temporary fixes for smaller, pseudo anonymous (or fully anonymous) accounts. In some instances depending on how anonymous you need to be, it may be that the best option is simply delete and start all over again. With that caveat out of the way:

  • Visit the settings options listed above and ensure the discovery settings are turned off.

  • Consider making your profile private (Settings and Privacy > Privacy and Safety > Audience and Tagging > Protect your tweets).

  • Change your Twitter handle (Settings and Privacy > Your account > Your account information). Note that if you have a verified account, changing the username portion which makes up your URL will remove your checkmark. Although, changing verified usernames is not currently working, so swings and roundabouts.

  • It may be that you need to delete all of your tweets. If this is the case, select the app or service that is most suitable for your needs.

  • Change your email address, and your phone number assuming this is practical.

This is just one of many current issues keeping whoever is still employed at Twitter awake at night. While we can’t do much about whatever happens down the road, we can at least be aware of issues filtering their way into the public domain like the above and taking appropriate action whenever possible. Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.