Hackers stole over 200 million email addresses from Twitter users and published them on an online forum, cybersecurity firm says

• Hackers have leaked email addresses from over 200 million Twitter users, a cybersecurity firm said.
• The database could be used to hack high-profile, political, or crypto accounts on Twitter.

Hackers have leaked the details of more than 200 million Twitter accounts, including email addresses, phone numbers, and account handles, onto an online hacking forum, cybercrime intelligence company Hudson Rock told Insider on Friday.

The news was previous reported by outlets including Reuters, CNN, and The Guardian.

A database with the "unique records," of 235 million Twitter users was posted onto a forum and made public, co-founder and chief technology officer at Hudson Rock, Alon Gal, said in a Wednesday LinkedIn post.

"This is one of the most significant data leaks in history and will unfortunately lead to a lot of accounts getting hacked, targeted with phishing, and doxxed," Gal told Insider in a statement.

"I urge Twitter users to change passwords and to be suspicious of any phishing attempts, and for Twitter to acknowledge this breach as soon as possible."

Insider was unable to independently verify the authenticity of the data Hudson Rock said had been leaked.

Twitter did not immediately respond to Insider's request for comment on the leaks, and the social-media giant is yet to publicly acknowledge such a breach.

Gal warned in an additional LinkedIn post that hackers will take advantage of the database to hack "high profile accounts," "crypto Twitter accounts," and "political accounts." Hudson Rock had earlier linked the hacking of British TV personality Piers Morgan's Twitter account to the leak.

Hackers have been selling and circulating large amounts of both public and private data from Twitter profiles since July 2022, technology site Bleeping Computer said.

The data is thought to have stemmed from a flaw in Twitter's API, which the company said it fixed in January 2022, which allowed hackers to discover what Twitter handles matched registered email addresses and phone numbers. That allowed scammers to compile a database, and potentially identify users who tweet anonymously.

Bleeping Computer reported that it was able to confirm the validity of many of the email addresses listed in Wednesday's leak.

Troy Hunt, creator of website Have I Been Pwned, told Bleeping Computer that the leak has been added to his website. Visitors to the HIBP website can use it to check if their email is part of the Twitter leak.

Gal had first reported in December that hackers had exploited Twitter's API flaw to compile a database containing information for around 400 million Twitter users. A hacker, called "Ryushi", took credit for the cache and demanded $200,000 to hand over the data for deletion per the BBC.

Gal's post on Wednesday clarified that the he believes the final count of the database is 235 million rather than 400 million. Hunt said in a tweet that he had discovered around 211 million unique email addresses linked to the Twitter leak.