Usernames and e mail addresses belonging to greater than 200 million Twitter customers have been posted on-line by hackers.

According to reports from security researchers and media retailers together with BleepingComputer, the credentials have been compiled from a variety of earlier Twitter breaches courting again to 2021. Although the database doesn’t embrace customers’ passwords, it nonetheless represents a safety risk to these affected.

“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity agency Hudson Rock, mentioned in a put up describing the hack on LinkedIn. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

Estimates of the precise variety of customers affected by the breach range, partly due to the tendency for such large-scale knowledge dumps to incorporate duplicate information. Screenshots of the database shared by BleepingComputer present it comprises a variety of textual content information itemizing e mail addresses and linked Twitter usernames, in addition to customers’ actual names (in the event that they shared them with the positioning), their follower counts, and account creation dates. BleepingComputer mentioned it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being offered on one hacking discussion board for as little as $2.

Troy Hunt, creator of the cybersecurity alert website Have I Been Pwned, additionally analyzed the breach and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks to be pretty much what it’s been described as.”

The breach has now been added to Have I been Pwned’s programs, which means anybody can visit the site and enter their e mail handle to see if it was included within the database.

The origin of the database appears to be traced again to 2021, reports The Washington Post, when hackers found a vulnerability in Twitter’s safety programs. The flaw allowed malicious actors to automate account lookups — coming into e mail addresses and cellphone numbers en masse to see in the event that they have been related to Twitter accounts.

Twitter disclosed this vulnerability in August 2022, saying it had fastened the problem in January that 12 months after it was reported as a bug bounty. The firm claimed on the time it “had no evidence to suggest someone had taken advantage of the vulnerability,” however cybersecurity consultants had already spotted databases of Twitter credentials for sale in July that 12 months. This most up-to-date database of greater than 200 million accounts appears to have its origins on this years-old vulnerability, which went unnoticed by Twitter for roughly seven months.