More than 200 million Twitter users' information is now available for anyone to download for free.

This latest data dump, which includes account names, handles, creation dates, follower counts, and email addresses, turns out to the be same - albeit cleaned up - leak reported last month that affected more than 400 million Twitter accounts, according to Privacy Affairs' security researchers, who verified the database that's now posted on a breach forum. 

The halved number of accounts is due to the removal of duplicates, according to Privacy Affairs CEO and founder Miklos Zoltan. "However, this time, the data is available for anyone to download for free, instead of being listed for sale at $200,000, as it was in December," he wrote.

Some of the well-known people and organizations included in the new 63GB database leak include Donald Trump Jr., Google CEO Sundar Pichai, SpaceX, the US National Basketball Association, CBS Media and the World Health Organization, according to Zoltan's blog post about the breach.

No word on whether the Christmas day hack of British education secretary Gillian Keegan's Twitter account is related. In that case miscreants took over Keegan's account, changed her profile picture to Elon Musk, and posted a series of tweets promoting cryptocurrencies.

Twitter did not respond to The Register's inquiries.

While the leaked data does not include users' phone numbers, physical addresses or passwords, it still poses a risk to the exposed account owners, Zoltan said.

"Privacy Affairs cybersecurity experts reviewed the published data and believe this latest leak could lead to social engineering attacks and doxxing."

The leaked email addresses linked to Twitter accounts can be combined with other publicly available information to determine users' real-life identity and locations. Plus, phishing emails continue to provide a successful entry point for criminals - and nation state thugs - looking to pull off social engineering attacks.

Of course, the published email addresses can also be used by spammers or scam markers, and all they need to do is convince one victim to click on a malicious link.

While this week's data dump contains fewer accounts, it could prove to be more serious because the crooks are giving away the full database for free, researchers warned.

"It is not certain at this moment how exactly this data was obtained," Zoltan noted. "The most likely method used could have been the abuse of an application programming interface (API) vulnerability."

As previously reported, the records were apparently scraped in 2021 via a security flaw Twitter said it fixed last year. ®

https://www.theregister.com//2023/01/05/twitter_leak_200m_accounts/