• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Twitter Now Acknowledges Security Bug That Exposed Data from 5.4+ Million Accounts

August 5, 2022 By Sven Taylor — 6 Comments
Twitter data breach

Last month we were the first to report on a breaking data security incident involving Twitter and a database compiled from 5.4 million accounts that was for sale on a cybercrime forum. Today, Twitter has formally acknowledged the security bug that caused this data breach.

Twitter has now officially acknowledged our “news report” that first broke the story about a threat actor leveraging a security vulnerability to acquire data from 5.4+ million accounts.

Last month, we spoke directly with the threat actor selling the data and we also analyzed the data sample that was being sold, confirming its legitimacy. (See the full report here.)

Today, Twitter is now acknowledging the security bug and the subsequent data breach that impacts “some accounts” — but the full number remains unknown.

Twitter security data breach

Twitter goes on to explain in the report how anyone could acquire Twitter account associated with a given email or phone number.

As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021.

This vulnerability is what allowed a threat actor to compile a database of Twitter account data from over 5.4 million Twitter users. The data included the Twitter user’s account handle, phone and/or email, plus other scraped data.

Below is a redacted sample that we analyzed from the cybercrime forum where the full database was being sold for $30,000.

Twitter email hack database security breach

Unfortunately, the impact of this data breach is difficult to quantify.

Full impact of Twitter data breach remains unknown

Unfortunately, there is really no way to know how many Twitter users this vulnerability impacted.

The threat actor has since removed the listing on the cybercrime forum — and this suggests the database has been sold. Additionally, the sample from the database only contained 10 lines, out of 5.4 million.

There may have also been other databased compiled from this security vulnerability.

Twitter has also acknowledged that they are unable to quantify the scope of this breach:

We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

How this data breach affects Twitter users

This is a serious data security threat that exposes Twitter users to threat actors and cybercriminals.

As we reported last month, the exact number of accounts listed for sale in the database was 5,485,636 based on the seller’s information. However, there could be even more Twitter user’s affected by this breach — there is no way to know for sure at this time.

Particularly concerning is the fact that many people use pseudonymous accounts that could be exposed in this latest breach, as Twitter now admits.

This data could potentially de-anonymize Twitter users in the database and/or expose users to targeted phishing attempts.

Twitter is recommending people enable two-factor authentication to mitigate risks.

While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.

Additionally, Twitter is also recommending that people not use a “publicly known phone number or email address” with their Twitter account.

To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Let that one sink in.

Twitter is now saying you should be using a burner email or burner phone number with Twitter, not your real “publicly known” email or phone.

Don’t worry, we’ve got you covered. See our guide on burner email here.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. Steve Rogers

    August 29, 2022

    I had my twitter account for more than 16 years now.

    Last week it was late and I was on twitter with my phone. There was a supposed “sensitive” tweet and then Twitter insisted I enter my birthdate and year of birth. My phone display is kind of small and I wasn’t wearing my glasses. I used the pull-down method (the only method) and I selected the wrong year of birth. Twitter then banned me saying I was under 13 years old.

    Now, twitter says if I want access and regain my account I have to provide them government ID that matches my name et al when I signed up. I used a pseudo-name. Besides, there’s no way in hell I’m going to send them my personal government issued ID even though I had a legit phone number on file with them (not a good idea in retrospect).

    I tried to plead my case to the twitter bots but they still locked me out. In fact, there’s no way to reach them either.

    This goes to show you the extreme nature twitter can go: either far left or far right with security and more.

    Reply
  2. RPV

    August 23, 2022

    This is to be expected as Twitter’s former head of cybersecurity says: https://www.nbcnews.com/tech/tech-news/twitter-whistleblower-alleges-major-security-issues-rcna44361

    Reply
    • BoBeX

      August 27, 2022

      Hi RPV,
      A good read. Thanks for posting

      Reply
  3. washer

    August 12, 2022

    Twitter is a terrible company based solely on trying to flag false and misleading content, or even having abusive and other supposed violations removed. It’s like the options that currently exist are just for show.

    And what happened to all the comments before August 5? They have disappeared.

    Reply
  4. BoBeX

    August 6, 2022

    Hi Sven,

    What you are doing is of great service to the community.
    I have noticed other news outlets referencing your research, and so they should.

    Only the experience of @April needs to be noted to see what a rough time these sorts of events can cause people.
    I recommend your privacy and security guides.
    Resources are available for affected people, for example in Australia you look to https://www.cyber.gov.au/

    And if anyone wants an insider guide to what the nasty little buggers might do with your accounts:
    https://darknetdiaries.com/episode/112/

    Great reporting!
    People need to know.

    Regards,

    BoBeX

    Reply
  5. April

    August 5, 2022

    Thank you for reporting on this. I hope you follow up. I was one of the people hacked…Twitter is doing NOTHING. NOTHING at all.
    Meanwhile, we’re being contacted on WhatsApp with extortion offers in order to get our accounts back. A coworker of mine was hacked as well, they restored his account but the hackers now have his email account.

    I’ve sent Twitter message after message and just get a form letter back.
    It’s very frustrating and shitty.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP