Personal information on more than 200 million Twitter users, likely harvested in 2021, has been published online in a massive hack of the social media platform.

The stolen data appears to be limited to Twitter account usernames and associated email addresses, according to a report from The Washington Post, but even that information can be leveraged against users.

Publication of the data poses threats of exposure, arrest or violence against people who used Twitter to criticize governments or powerful individuals, and it could open up others to extortion, security experts said, per the Post. Hackers could also use the email addresses to attempt to reset passwords and take control of accounts, especially those not protected by two-factor authentication.

Twitter hackers got me. They could be targeting you, too

Alan Gal, the co-founder of Israeli security firm Hudson Rock, reportedly was the first to uncover the leak.

“The database contains 235,000,000 unique records of Twitter users and their email addresses and will unfortunately lead to a lot of hacking, targeted phishing, and doxxing,” Gal posted on his LinkedIn page. “This is one of the most significant leaks I’ve seen.”

So, where is the stolen Twitter data now?

Gizmodo reports the data stolen from Twitter more than a year ago found its way onto a major dark web marketplace this week. The asking price? The crypto equivalent of $2. In other words, it’s basically being given away for free. 

The hacker who posted the data haul, a user who goes by the moniker “StayMad,” shared the data on the market “Breached,” where anyone can now purchase and browse it, per Gizmodo.

The cache is estimated to cover at least 235 million people’s information.

How did hackers get into Twitter databases?

According to The Washington Post, the records were probably compiled in late 2021, using a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter. Those lookups could be automated to check an unlimited list of emails or phone numbers.

Twitter acknowledged in August last year it had been aware of the breach since January 2022, but the code error that allowed access to hackers had probably been inserted in a software update that took place in mid-2021.

As of midday Friday, Twitter had not yet offered public comment on the information breach.