one of the most significant leaks I've seen
In the quiet architecture of digital identity, a vulnerability left unattended becomes an open door — and for more than 200 million Twitter users, that door was open far longer than anyone should have allowed. A flaw discovered in 2021 let attackers silently map email addresses to Twitter accounts in bulk; by the time Twitter patched it in January 2022 and disclosed it in August, the harvest had already been taken. The resulting database — names, usernames, email addresses, follower counts — is now circulating on hacking forums for as little as two dollars, a reminder that the cost of negligence is rarely borne by those who were negligent.
- A database of over 211 million Twitter users' email addresses and personal details has been confirmed as authentic and is now openly for sale on hacking forums for as little as $2.
- The breach stems from a 2021 vulnerability that allowed automated bulk lookups — Twitter patched it quietly in January 2022 but waited seven more months to tell the public, while stolen data was already circulating.
- Though passwords were not included, the combination of real names, usernames, email addresses, and follower counts gives bad actors everything they need to launch targeted phishing, doxxing, and account takeover campaigns.
- Cybersecurity researchers Alon Gal and Troy Hunt have independently verified the scale of the leak, with Hunt adding the 211 million addresses to Have I Been Pwned so users can check their own exposure.
- Twitter's claim that it found no evidence of exploitation now rings hollow — researchers had already spotted the stolen credentials on dark web forums before the company made any public disclosure.
More than 200 million Twitter users learned this week that their email addresses and usernames had been posted online by hackers — part of a database confirmed by security researchers to contain over 211 million unique records, making it one of the largest credential leaks in recent memory.
The breach traces back to 2021, when attackers found a flaw in Twitter's infrastructure that allowed them to feed email addresses and phone numbers into the platform in bulk and confirm which ones were tied to active accounts. Twitter patched the vulnerability in January 2022 but didn't disclose it publicly until August — a seven-month silence during which stolen databases had already begun appearing on hacking forums.
The leaked files don't include passwords, but they do contain real names, usernames, follower counts, and account creation dates — enough to power a sustained wave of phishing campaigns, account takeovers, and doxxing attacks. The data is being sold for as little as two dollars. Alon Gal of Hudson Rock called it among the most significant leaks he had seen; Troy Hunt of Have I Been Pwned independently verified the 211 million figure and added the records to his searchable database so users can check their own exposure.
Twitter's claim that it found no evidence of exploitation has been undercut by the timeline itself: the data was already circulating before the company said a word. For the hundreds of millions of users now exposed, the breach is not an abstraction — their email addresses are in the hands of people who know exactly what to do with them.
More than 200 million Twitter users woke up to discover their email addresses and usernames had been posted online by hackers. The database, which security researchers confirmed contained over 211 million unique email addresses, represented one of the largest credential leaks in recent memory—and it had been sitting in Twitter's systems, unpatched, for roughly seven months.
The breach traces back to 2021, when attackers discovered a vulnerability in Twitter's security infrastructure that allowed them to automate account lookups. By feeding email addresses and phone numbers into Twitter's systems in bulk, hackers could determine whether those credentials were tied to active accounts. It was a simple exploit with devastating reach. Twitter eventually patched the flaw in January 2022, but the company didn't publicly disclose the vulnerability until August of that year—a gap of seven months during which the damage had already been done. By July 2022, security researchers had already spotted databases of Twitter credentials being hawked on hacking forums.
The leaked database itself does not include passwords, which provides some small measure of protection. But what it does contain is comprehensive enough to fuel a wave of targeted attacks. Along with email addresses and usernames, the files list users' real names if they chose to share them, their follower counts, and the dates their accounts were created. Security researchers confirmed the validity of many of the exposed email addresses. The database was being sold on hacking forums for as little as two dollars.
Alon Gal, co-founder of the Israeli cybersecurity firm Hudson Rock, described the leak as among the most significant he had encountered. He warned that the exposure would almost certainly trigger a surge in phishing campaigns, account takeovers, and doxxing attacks targeting the affected users. Troy Hunt, who runs the cybersecurity alert site Have I Been Pwned, analyzed the breach independently and confirmed the scale: 211 million-plus unique email addresses, matching what researchers had described. The database has now been added to Have I Been Pwned's searchable records, allowing users to check whether their email was included in the leak.
Twitter's handling of the vulnerability raises questions about the company's security practices and disclosure timelines. The company claimed in August 2022 that it had no evidence anyone had exploited the flaw, yet databases of stolen credentials were already circulating on the dark web by that point. The seven-month window between the patch and the public disclosure meant that anyone who had discovered the vulnerability during that period had a clear runway to harvest data at scale. For the 200 million users now exposed, the breach represents an immediate and concrete threat: their email addresses are now in the hands of people who know how to use them.
Notable Quotes
This is one of the most significant leaks I've seen. It will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.— Alon Gal, co-founder of Hudson Rock cybersecurity firm
Found 211,524,284 unique email addresses, looks to be pretty much what it's been described as.— Troy Hunt, creator of Have I Been Pwned
The Hearth Conversation Another angle on the story
Why does it matter that the database doesn't include passwords?
It matters because it's the one thing standing between these users and immediate account takeovers. But email addresses are almost as valuable—they're the key to password reset flows, phishing attacks, and targeted social engineering.
Seven months between the fix and the disclosure seems like a long time. Why would Twitter wait that long?
That's the question everyone's asking. Twitter said it had no evidence of exploitation, but that's hard to believe when credential databases were already for sale on hacking forums by the time they made their announcement.
What happens to someone whose email is in this leak?
They become a target. Attackers now know their email is tied to a Twitter account. They'll get phishing emails pretending to be Twitter, trying to trick them into handing over credentials. They might get doxxed—their personal information published online. Their account could be hijacked.
Can people check if they're affected?
Yes. Troy Hunt added the entire database to Have I Been Pwned, so anyone can search their email and find out immediately if they're in there.
Is two dollars a realistic price for 200 million records?
It is when you're selling in bulk on a hacking forum. The value isn't in the individual records—it's in the scale and the targeting potential. Two dollars is almost a giveaway price.