While trolling through the dark web this week, I found my Twitter account's data.
A dark web site this month released a data set of 200 million Twitter profiles. That's where I found my account's data. I know my data hadn't been revealed in earlier releases because I'd checked then. In my business, I take security seriously.
The company suggests the newly exposed account data in December and January (yes, this is the second recent release) is "likely a collection of data already publicly available online through different sources."
That data appears to have come from a 2021 hack. In that attack, a hacker abused an application programming interface (API). With it, email addresses were connected to Twitter profiles. The results include public Twitter profile data, such as names, usernames, and follower counts.
So far, so, relatively harmless. But, then, the attacker used another API to scrape this data and used it to pull out private email addresses and phone numbers. The resulting data of approximately 221,608,279 users has been released as a RAR archive. Within it, you'll find half-a-dozen text files adding up to 59GB of user data.
How can you tell if your account's information has been revealed? Run your e-mail address through Have I Been Pwned. If you see the message below, that means your data's been exposed.
What you should do if your Twitter data was compromised
So what can you do about it if your Twitter data is out there, too? Well, as American Express told me, be even warier than usual about possible phishing and spam attacks. For example, if you get an email message promising you great pet insurance for your dog Spot and you've shared many photos of Spot on Twitter, take a long, hard look at the note before responding to it. In particular, look carefully at any URLs in these messages.
You should also remember that besides "public" information, semi-private information such as your birthday, phone number, address, hometown, and that ever-popular "security" question, your mom's maiden name, may also now be in play.
That means it's time to review your most important accounts and change their security questions. While you're at it, turn on two-factor authentication (2FA) on all your services. That's just smart, whether you've been hacked this time or not.