Data alleged to contain the email addresses of more than 200 million Twitter users is being given away for free on a hacker forum, reports say.
The stolen information includes email addresses used to set up accounts, which will worry anonymous users who registered with a sensitive address.
The BBC has not verified the data, and breaches often turn out to contain duplicate, old or fake information.
Twitter has not responded to requests for comment about the breach.
Alon Gal of cyber-crime information firm Hudson Rock, which spotted the leak, said it contained more than 200 million email addresses and was “significant”.
Mr Gal told the BBC it would “unfortunately lead to a lot of accounts getting hacked, targeted with phishing, and doxxed”.
Doxxing is the act of publishing personal information about someone that can lead to their identification.
The BBC has not downloaded the material, which has to be unlocked by using 20p worth of the forum credits.
Some form users have expressed their interest in the data, with one saying: “Thanks for your service cannot wait for the chaos.”
Tech news website Bleeping Computer has downloaded the data and confirmed that the email addresses were correct for many of the listed Twitter profiles. It also found the data contained duplicates.
It reported: “The full dataset has obviously not been confirmed. The dataset is far from complete, as there were many users who were not found in the leak.”
Another researcher suggested that many Twitter accounts feature many times, but the number of unique email addresses involved is still more than 100 million.
Already investigating
The news comes after a warning from from Hudson Rock last week about unverified claims by a hacker to have emails and phone numbers linked to 400 million Twitter accounts.
The hacker, Ryushi, demanded $200,000 (£168,000) from Twitter to hand over the data and delete it.
However, data currently offered online for free was posted by another individual, is smaller in size, and Mr Gal said, did not include phone numbers.
Analysis by Joe Tidy (cyber reporter)
As ever with giant database hacks, it’s extremely hard to verify if the stolen details are legitimate.
Early indications are that at least some of the sample data the criminal is offering is real, and three Twitter users have confirmed to me that their leaked email addresses are real.
This is no doubt very concerning for them and others on the list, which could now potentially be in the cross-hairs of hackers and opportunists.
But the evolution of the hack could also be telling.
First we had claims of a massive breach and efforts to extort thousands of dollars from Twitter.
Now a haul of data is being given away for a measly 20p.
The leaked data could turn out to be a worthless amalgamation of previous breaches and fake details.
Twitter would know for sure, but so far the company (which has disbanded its media communications teams since Elon Musk’s takeover) has refused to even acknowledge the situation.
Previous data scrapes of this kind have been routinely and swiftly downplayed by social media firms which have for years brushed them off as not serious security issues.
But the argument appears to be one that tech firms are losing, as Facebook’s recent £230m fine for a 2021 scraping incident shows.
Following reports of Ryushi’s claim, Ireland’s Data Protection Commission (DPC) said it would “examine Twitter’s compliance with data protection law in relation to the security issue”.
The DPC is already investigating a breach of data in November, in which emails and phone numbers linked to more than five million accounts were leaked online.
Security experts believe the newly leaked data may have been accessed in a so-called scraping attack enabled by a flaw in a Twitter system.
This involved tricking a piece of software linked to Twitter called an API (application programming interface) into revealing hidden details about accounts.
The flaw was used in the November 2021 breach. Twitter said it had fixed it in January 2022
BBC