Twitter has recently been in the news for a data leak involving 235 million Twitter accounts. The social media platform has denied that the leak came from its systems, claiming that a “thorough investigation” found “no evidence” of any associated breach. However, the leak of user data on a dark web marketplace for just $2 has raised concerns about the security of Twitter and its users.
Initial Silence from Twitter
When the data leak was first reported, Twitter did not respond to media outlets requesting comment or information. This silence from the company raised suspicions and concerns about the severity of the data leak. However, after a week of silence, Twitter released a statement denying any responsibility for the leak.
Investigation Results
In the statement, Twitter claimed that based on information and intelligence analyzed to investigate the issue, there was no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The company stated that the data is likely a collection of data already publicly available online through different sources.
Valid Emails
In the immediate aftermath of the leak’s detection on January 4, cybersecurity news outlet Bleeping Computer reportedly confirmed the validity of a number of the emails. The outlet also linked those 235 million emails/account pairs to an earlier December leak, containing both phone numbers and emails linked with about 400 million Twitter accounts. Twitter only had around 368 million monthly active users in December 2022, so the leaked data could, in theory, encompass all of these accounts.
Previous Security Failures
Both of the data dumps were thought to be related to an even earlier security failure, which Twitter publicly acknowledged in August 2022. A fatal flaw in the social platform’s application program interface (API) allowed anyone to get the Twitter ID of a user by searching their phone or email, even if the user in question did not have their phone or email publicly linked with their Twitter handle. The company admitted that the API flaw was related to data being sold by a “bad actor,” and claimed to be notifying affected users.
Denial of Link to Previous Incident
Twitter has now denied any link to the previous incident. The company claims that, after an internal investigation, the December 400 million user leak “could not be correlated with the previously reported incident, nor with any new incident.” And that the January 200 million account dataset, “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
Twitter’s blog post also noted that the company is currently in touch with “Data Protection Authorities and other relevant regulators…to provide clarification about the alleged incident.” However, the company offered no additional information on how accurate compilations of hundreds of millions of Twitter accounts’ data ended up on a hacker marketplace.
While Twitter may deny any responsibility for the data leak, the fact remains that the information is out there. The company’s long history of breaches and security failures raises questions about the security of its systems and the protection of its users’ data.
It is important for users to be vigilant and take necessary precautions to protect their personal information, as well as for companies to ensure the security of their systems and customer data. Twitter’s response to the incident and cooperation with regulatory authorities will be closely monitored in the coming days.