Data on 200 million Twitter users posted online by hacker did not come from a Twitter vulnerability, platform insists
Twitter has publicly responded to reports of a security problem, after a researcher last week warned that 200 million user email addresses for Twitter accounts had been leaked online.
Last week Alon Gal, co-founder of Israeli cybersecurity-monitoring firm Hudson Rock, alleged that email addresses used to set up Twitter accounts, had been published on a hacking forum.
Gal said at the time that the database “contains 235,000,000 unique records of Twitter users and their email addresses.” He said the database is “circulating heavily and is now leaked” and will “unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
However noted security researcher Troy Hunt, creator of breach-notification site Have I Been Pwned, at the time analysed the leaked data and said on Twitter that the “addresses are only in the scraped Twitter data because they’d already been compromised elsewhere, and so the cycle continues…”
And now Twitter has officially responded to the allegation in a blog post, in which it said there was no evidence new user data leaks were obtained via a vulnerability or bug with its systems.
“We take our responsibility to protect your privacy very seriously,” blogged the firm.
“In response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
Ireland’s data protection office had recently said it would investigate the apparent security breach.
Twitter also addressed a previous incident last summer, when the data of 5.4 million accounts was compromised by a bug it discovered early in 2022.
“We also want to share an update about an incident that took place earlier this year, and provide transparency into the steps we took to remediate it,” it blogged.
That came after Twitter faced recent claims about the size and scope of the breach, which initially varied with early accounts in December saying 400 million email addresses and phone numbers had been stolen.
Twitter said in the blog that the 5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
It said that 400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
It added that 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.
Twitter said both datasets were the same, though the second one had the duplicated entries removed.
And it said that none of the datasets analysed contained passwords or information that could lead to passwords being compromised.
A hacker, using the handle “Ryushi”, had offered a sample of details from about 1,000 accounts on hacker forums in July 2022.
But Twitter said that breach had been resolved.
“Therefore, based on information and intel analysed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” Twitter blogged this week.
“The data is likely a collection of data already publicly available online through different sources,” it said.