Share this article on:
Following the apparent leaking of the emails and other data of 200 million users last week, Twitter has responded, denying that any data was, in fact, breached.
Rather, Twitter now believes the data to have been gathered from publicly available sources online. Twitter has also laid a timeline of recent events involving the data, starting with an initial incident reported in August 2022.
The August breach was based on a vulnerability that allowed someone to link a user’s email address with their phone number, which was patched immediately, according to Twitter, but not before someone had taken advantage of it. Twitter notified affected users and “relevant authorities”.
According to Twitter, the details of 5.4 million users that were being shopped around in November 2022 was not a new dataset, but rather from the original August breach.
Subsequent sets of 400 million and 200 million were found to be mostly identical and, according to Twitter, not related to any new breaches.
“None of the datasets analysed contained passwords or information that could lead to passwords being compromised,” the company’s incident response and privacy and data protection teams declared in a blog post.
“Therefore, based on information and intel analysed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources.”
So, essentially, no harm, no foul. Twitter is, however, talking to “data protection authorities and other relevant regulators from different countries to provide clarification about the alleged incidents”.
Alon Gal, the Hudson Rock security researcher who first surfaced the leaks in January, is not so convinced.
“I dispute Twitter’s investigation and maintain that the data breach is genuine,” Gal said in a post on LinkedIn. “I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion of the data being an enrichment of some sort which did not originate from their own servers.”
“Bottom line — it is possible to verify the authenticity of this data breach.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.