ProtonBlog(new window)

How to protect yourself from Twitter’s latest breach

Share this page

Hackers were able to steal account details from over 200 million Twitter users(new window) and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify pseudonymous Twitter accounts. 

Experts believe this list is a refined version of a similar database that was reported on in December 2022 that contained roughly 400 million Twitter handles(new window) and associated emails and phone numbers.

While Twitter denied that these account details were stolen(new window) by “exploiting a vulnerability of [its] systems”, Troy Hunt, the creator of haveibeenpwned.com, the website that allows you to see if your data has been exposed in a breach, pointed out that this seems like a carefully worded non-denial: 

Twitter is now facing a class action lawsuit(new window) over its refusal to acknowledge this incident as a breach.

Mr. Hunt has also reported that the email accounts purportedly from the breach seem legitimate.

It seems likely that these account details were obtained by taking advantage of an API flaw that Twitter acknowledged in August 2022(new window). The company was informed in January 2022 that it had introduced a bug in an update in June 2021 that would allow anyone that entered a phone number or email address to see what the corresponding Twitter handle was (if one existed). 

At the time, Twitter claimed the breach exposed roughly 5.4 million Twitter handles(new window) and their corresponding emails and phone numbers. 

How could this breach affect you?

There’s no evidence that hackers accessed users’ passwords or DMs. Still, attackers can now link publicly known email addresses and phone numbers to Twitter accounts, potentially allowing them to identify and doxx Twitter users. It will also allow them to write much more convincing phishing attacks(new window).  

While investigating the breach, Mr. Hunt discovered that 98% of the emails in the Twitter database had previously been exposed(new window) in another data breach. Hackers simply took the exposed email addresses and fed them into Twitter to add another data point to the ever-growing criminal databases. 

How to recover from the Twitter data breach

The first thing you can do is go to haveibeenpwned.com(new window) to see if your email address or phone number was exposed in the breach. If neither appears, you likely have nothing to worry about.

If your email appears, you should remove it from your Twitter account and any other account you use it for. You should also expect an uptick in the volume and quality of phishing emails(new window) you receive. 

If your phone number appears, you should unlink it from your Twitter account and any other accounts you use it for. You could also receive malicious phone calls and text messages (smishing) trying to fool you into exposing sensitive information. 

Even if your phone number doesn’t show up in the Have I Been Pwned database, if you’re using your phone number for a two-factor authentication (new window)(2FA), you should stop. Two-factor authentication via SMS is insecure and you should switch to something safer, like a time-based one-time password app or a hardware security key(new window).  

How to protect yourself from future breaches

While you cannot prevent data breaches yourself, you can reduce your vulnerability to data breaches in general. The following steps will prevent hackers from getting their hands on truly sensitive information or being able to use the data they’ve stolen to get into your other accounts:

  1. Turn two-factor authentication on for every account possible. This prevents hackers from being able to access your account even if they have your password and email. It can be a crucial last line of defense.
  2. Use strong, unique passwords(new window) for each account. If you use a different password for each account, a breach can never affect more than that account, limiting the potential damage and recovery time. You should also use a secure, open-source password manager(new window) to keep track of all your passwords. 
  3. Use a unique email alias for each account. Using the same logic as unique passwords, hackers can’t identify your accounts or track you across platforms if you create a unique email alias for each account. SimpleLogin by Proton Mail(new window) makes creating and managing dozens of email aliases simple. If you used SimpleLogin to create an alias for your Twitter account, you would not be at risk of being identified and could easily turn off that alias to avoid phishing attacks. 
  4. Don’t share sensitive information (when you can avoid it). It’s time to be real and admit that there’s a decent chance that anything you share with an online company could end up being exposed at some point. But a company can’t expose something in a breach that you never gave it in the first place. When possible, avoid sharing anything more than a pseudonym and an email alias when you create an account. 

These steps will help reduce your exposure to potential breaches. Unfortunately, there’s very little you can do to protect information that organizations already have, which is why we recommend you only use organizations with good security track records. This one gets harder every year as more and more companies suffer breaches and hacks. However, you should look for organizations that use open-source code and have an active security contributor community. It shows these companies prioritize data security and are willing to face scrutiny from experts to keep your information safe.

You can also push governments to enforce data privacy laws and punish data breaches. Twitter is still under a consent decree(new window) over data breaches from 2011. It should have detected that user accounts were being scraped and fixed the problem faster. Unfortunately, data breaches will continue to happen until they’re made too costly to ignore.

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

Even though the Snowden leaks came out 10 years ago, the United States never ended its unconstitutional surveillance program. It now has a chance to close the legal loopholes that allow warrantless spying on US citizens. But Congress needs to act bef
Over the past year, hackers have been using new and clever techniques to steal people’s online data. At Proton, we’ve been monitoring these evolving strategies and updating our defenses to stay ahead of the arms race.  Often, the attacks involve new
password fatigue
Most people in the digital age have dozens, if not hundreds, of passwords, and keeping track of them is tiring, to say the least. If you’re suffering from password fatigue, you’ll be happy to know there’s an easy fix. The short answer is that you sh
are password managers safe?
Password managers are a great way to generate secure passwords, keep them in encrypted storage together with your credit card details, and improve your online security across the board. But you might be worried about keeping so much sensitive data in
Most of us probably wouldn’t consent to sharing photos of our family and friends with random strangers on the internet. But that’s exactly what we do when we automatically sync our pictures to the non-private servers of Big Tech companies, which can
Google Drive is the world’s most popular cloud storage service by far, with over 3 billion people using Google Workspace (which includes Google Drive, Google Calendar, Gmail, and more). But this ubiquity has recently caused concern following several