Hacked! My Twitter user data is out on the dark web -- now what?

Your Twitter user data may now be out there too, including your phone number. Here's how to check and what you can do about it.
Danger sign rendered as if on a CRT monitor

While trolling through the dark web this week, I found my Twitter account's data. 

A dark web site this month released a data set of 200 million Twitter profiles. That's where I found my account's data. I know my data hadn't been revealed in earlier releases because I'd checked then. In my business, I take security seriously.

On Wednesday, Twitter said that "there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems." 

The company suggests the newly exposed account data in December and January (yes, this is the second recent release) is "likely a collection of data already publicly available online through different sources." 

Sure, Twitter has already admitted that there was a leak of user data, which was reported on in November 2022. But, according to Twitter, that was all data of about 5.4 million user accounts that had been exposed in August. That's still 5.4 million too many. 

That data appears to have come from a 2021 hack. In that attack, a hacker abused an application programming interface (API). With it, email addresses were connected to Twitter profiles. The results include public Twitter profile data, such as names, usernames, and follower counts.

Also: Hackers are using this old trick to dodge security precautions

So far, so, relatively harmless. But, then, the attacker used another API to scrape this data and used it to pull out private email addresses and phone numbers. The resulting data of approximately 221,608,279 users has been released as a RAR archive. Within it, you'll find half-a-dozen text files adding up to 59GB of user data. 

According to Have I Been Pwned (HIBP)'s founder Troy Hunt, 211,524,284 unique email addresses have been revealed. And now, whether from that known leak or not, mine has too. American Express and Experian IdentityWorks have both contacted me to tell me my data has been revealed.

How can you tell if your account's information has been revealed? Run your e-mail address through Have I Been Pwned. If you see the message below, that means your data's been exposed.

Also: How to secure your Twitter account without two-factor authentication

2023 Twitter Hack message

If you see this message on Have I Been Pwned, well, yes, yes you have been. 

Screenshot by Steven J. Vaughan-Nichols/ZDNET

What you should do if your Twitter data was compromised

So what can you do about it if your Twitter data is out there, too? Well, as American Express told me, be even warier than usual about possible phishing and spam attacks. For example, if you get an email message promising you great pet insurance for your dog Spot and you've shared many photos of Spot on Twitter, take a long, hard look at the note before responding to it. In particular, look carefully at any URLs in these messages.

People will use your personal data against you. It's that simple. It's that ugly. 

If you think you may have already been hacked, check your computer or smartphone with a high-quality anti-virus program. Actually, do that anyway. This is no time to take chances.

You should also remember that besides "public" information, semi-private information such as your birthday, phone number, address, hometown, and that ever-popular "security" question, your mom's maiden name, may also now be in play.

That means it's time to review your most important accounts and change their security questions. While you're at it, turn on two-factor authentication (2FA) on all your services. That's just smart, whether you've been hacked this time or not. 

In particular, if you're still on Twitter, turn on 2FA. Do not, however, use texting, aka SMS, as your second factor. The Twitter microservice that delivered SMS messages broke in November, and it's still acting up. Instead, switch your 2FA method from texting to email, an authenticator app, or a physical security key, such as a YubiKey.

You should also, as I've recommended earlier, stop using Twitter authentication to sign in to other websites. That's just asking for trouble.

Finally, I've been warning about big trouble from Twitter since Musk took over. Account data leaks like this are a big red flag. Consider deleting your Twitter account, and switching to another, more reliable social network

Editorial standards