Twitter says leaked user data wasn't stolen from its systems

Twitter logo displayed on a smartphone
(Image credit: Shutterstock / XanderSt)

The leak of over 200 million email addresses belonging to Twitter users is not a result of an internal vulnerability being abused, the company has claimed.

In an update posted to the company website, the microblogging platform addressed the speculations that the threat actors abused the same vulnerability that was patched in January 2022, which hackers used to share details on more than five million Twitter users.

"In response to recent media reports of Twitter users' data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems," the company said. "[The] 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems," it added.

Data taken elsewhere

"None of the datasets analyzed contained passwords or information that could lead to passwords being compromised." Instead, Twitter believes the leak is an amalgamation of publicly available databases gathered elsewhere, likely through separate leaks. "The data is likely a collection of data already publicly available online through different sources,” it claims. 

Some experts are questioning Twitter’s arguments, asking why the company did not explain how the leaked data was accurately linked to email addresses associated with people’s Twitter accounts. 

The microblogging platform said it reached out to relevant data protection authorities and other organizations to provide more details about the incident.

In late November 2022, researchers discovered a major data dump of sensitive identity information, claiming it was probably due to a vulnerability that allowed anyone to cross-check if an email address or a phone number was associated with a Twitter account, and if so - which one. 

Millions of users from the US and EU were exposed, and the media managed to confirm the authenticity of at least some of the data posted to the dark web. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.