“Unfortunately there will be a lot of hacking, targeted phishing and doxing going on,” Alon Gal, co-founder of Israeli cyber security-monitoring firm Hudson Rock, wrote on LinkedIn. He called it “one of the most significant leaks I’ve seen”.
Twitter has not commented on the report, which Gal first posted to social media on December 24, nor has it responded to inquiries about the breach since that date. It was not clear what action, if any, Twitter has taken to investigate or resolve the matter.
Reuters could not independently confirm that the data on the forum was authentic and came from Twitter. Screenshots of the hacker forum where the data appeared on Wednesday have circulated online.
Troy Hunt, creator of the breach-notification site Have I Been Pwned, looked at the leaked data and said on Twitter that it looks “just as it is told.”
There was no clue to the identity or location of the hacker or hackers behind the breach. That could happen as early as 2021, well before Elon Musk took over ownership of the company last year.
Claims about the size and scope of the breach initially varied with accounts as early as December stating that 400 million email addresses and phone numbers had been stolen.
A major breach at Twitter could draw attention to regulators on both sides of the Atlantic. The Data Protection Commission in Ireland, where Twitter has its European headquarters, and the US Federal Trade Commission are monitoring the Elon Musk-owned company for compliance with European data protection regulations and a US consent order, respectively.
Messages left with the two regulators were not immediately returned on Thursday.