Twitter claims there is no evidence to support press reports that the user data being sold online recently was obtained by exploiting a vulnerability in its systems, adding the said information is likely a collection of data that is already publicly available through different sources online.
The detailed statement came in response to reports that Twitter’s systems were breached last year by hackers, who accessed personal data of millions of users on the platform. Following the reports, Ireland’s Data Protection Commission (DPC), which is Twitter’s lead regulator in the EU, initiated an inquiry into the potential breach in December. The leaks reportedly impacted personal information of more than 5.4 million users.
Twitter has denied reports that the said information was obtained by exploiting a vulnerability in the company’s systems and has instead claimed the information was “likely a collection of data already publicly available online through different sources”.
“We also want to share an update about an incident that took place earlier this year, and provide transparency into the steps we took to remediate it,” says Twitter, referring to subsequent reports about a hacker claiming to be holding personal information of more than 400 million users.
Twitter says it received a report from the company’s bug bounty programme about a vulnerability in its systems in August 2022. The vulnerability could be exploited if someone submitted an email address or phone number as Twitter’s systems would reveal whose account the submitted credentials belonged to. According to Twitter, the vulnerability stemmed from an update to Twitter’s code in June 2021. “When we learned about this, we immediately investigated and fixed it.”
However, before the issue was addressed and resolved, a bad actor had taken advantage of it and was offering to sell the information they had improperly acquired. Twitter says it “promptly” notified the affected users and relevant authorities about the breach.
Then in November 2022, reports emerged that Twitter’s data had been leaked online again. When the company compared this data to the data that was breached in July 2021, similarities were found and it was determined that in both cases the data was the same.
“In December 2022, additional press reports published that someone claimed that they have access to over 400 million Twitter-associated user emails and phone numbers, and that the data had been exposed through the same vulnerability discovered in January 2022,” the statement reads. “Recently, in January 2023, a similar attempt to sell data from 200 million Twitter-associated accounts was reported in the media.”
Twitter says its Incident Response and Privacy and Data Protection teams conducted a comprehensive investigation into the reported leaks and concluded:
- The 5.4 million user accounts that were reportedly breached in November are the same as those exposed in August 2022
- In the second reported breach, the information linked to 400 million users could neither be correlated with the previously reported incident nor with any new incident
- The breach involving 200 million datasets could neither be correlated with the previously reported incident nor any data originating from an exploitation of Twitter systems
- Both datasets were the same but the second one had duplicated entries removed
- The datasets analysed did not contain passwords or any other information that could compromise account safety
“Therefore, based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” Twitter claims. “The data is likely a collection of data already publicly available online through different sources.”
Hudson Rock, the cyber-crime intelligence firm that first raised concerns about the alleged breaches, does not seem to support Twitter’s findings, however.
The company’s co-founder, Alon Gal, said, “I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion of the data being an enrichment of some sort which did not originate from their own servers.”
