According to Israeli security researcher Alon Gal, 235 million Twitter accounts have been linked to personal emails.
This leaves millions of people vulnerable to having their accounts compromised, or their identities revealed if they have used the site anonymously to criticize oppressive governments, for example.
In a LinkedIn post this week, Gal—the co-founder and CTO of cybersecurity company Hudson Rock—wrote that the leak “will regrettably lead to a lot of hacking, targeted phishing, and doxxing.”
Although account credentials were not exposed, unscrupulous hackers may have used the email addresses to try to reset people’s passwords or guess them if they were repeated or often used across several accounts.
That’s particularly dangerous if the accounts aren’t secured.
Experts advise those who use Twitter anonymously to use a Twitter-specific email account that is used only for Twitter and conceals their identity.
Although it appears that the attack occurred before Elon Musk took over Twitter, the revelation of the released emails caused the billionaire more stress during his, to put it mildly, tumultuous first few months in the position.
When contacted for comment regarding the incident, Twitter did not answer right away.
The Federal Trade Commission may take action against the corporation if they learn about the violation.
In 2011, the San Francisco corporation and the organization agreed to a consent agreement that called for it to address significant data security issues.
Several months before Musk’s takeover, in May of last year, Twitter agreed to pay a $150 million fine for breaking the consent decree.
An upgraded version set additional guidelines that required the business to strengthen its information security measures and implement an improved privacy protection policy.
A group of Democratic lawmakers requested in November that federal regulators look into any potential transgressions of the platform’s consumer protection and data security agreements.
Although no official inquiry has been announced, the FTC stated at the time that it is “watching recent developments at Twitter with serious concern.”
However, experts and current and former Twitter employees have been sounding the alarm about significant security vulnerabilities stemming from the company’s escalating disarray and drastically diminished staff.
In a whistleblower complaint submitted in August, Twitter’s former head of security claimed that the business had misled regulators about its cybersecurity defenses’ strength and carelessness in seeking to identify false accounts that propagate misinformation.
One of Peiter Zatko’s most grave allegations is that Twitter broke the terms of the 2011 FTC settlement by misrepresenting the extent of its security and privacy protections for its users.