top of page

200 million Twitter users’ data available in free data dump

The email addresses and Twitter user data from 200 million accounts has been made available for anyone to download for free from a popular hacking forum.

An API vulnerability exploited in mid-2021 enabled threat actors to find accounts associated with user credentials through the application’s discoverability function. Twitter then fixed this vulnerability in January 2022.

But despite the vulnerability being fixed 12 months ago, multiple threat actors have now released data sets collected by exploiting the API vulnerability.

In July 2022 the first data leak of 5.4 million users was offered for sale at $30,000 and was eventually released for free in November.

A further data set, reportedly containing the data of 17 million users, was being privately circulated in November 2022 and a threat actor started selling a data set that they claimed contained 400 million Twitter users’ details scraped using the same API vulnerability.

On January 4 this year, a threat actor made a data set available on a hacking forum consisting of 200 million Twitter users’ details.

It has been reported with confidence that at least part of this data set is the same as those in the 400 million set circulated in November with duplicates removed.

The tactic employed in 2021 in the original data scraping involved utilising email addresses already exposed in earlier data breaches, feeding them into the API vulnerability and identifying corresponding Twitter accounts.

Therefore, any accounts using a unique email address, purely for use on Twitter, or using an address not seen in a previous breach will not appear.

Is your email in the leak?

Data breach notification service Have I Been Pwned (HIBP) has added the Twitter data leak to its system and has begun notifying subscribers if their email was found in the data set.

Troy Hunt, the creator of HIBP, has stated that there is a total of 211,524,284 unique email addresses in the leak, down from the original number of 221,608,279 lines.

To check if your email is part of the Twitter leak, you can visit Have I Been Pwned and search with your email. If your email is part of the leak, HIBP will notify you with the list of detected data breaches, including the Twitter one.

What should you do if your listed?

Even though this data leak only contains email addresses, it could be used by threat actors to conduct phishing attacks against accounts, especially verified ones.

Verified accounts with large followers are highly valued as they are often used to steal cryptocurrency through online scams.

This leak is also a significant privacy concern, especially for Twitter users who tweet anonymously. With this leak, it may be possible to identify anonymous Twitter users and expose their real identities.

All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.

Unfortunately, if you are concerned about your identity being revealed by a leaked email address, there is not much you can do.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page