Twitter denies data breach involved in leak of 200 million user emails

Social media site Twitter denied that a data breach of its systems was the source of the leak of 235 million users’ email accounts. According to multiple reports, the leaked data had apparently been put on sale for just $2 on a dark web marketplace earlier this month.

Twitter usernames and their corresponding email addresses may not seem like sensitive info. However, the leak prompted concerns that the data could be tied to real-world identities, making hacking into accounts much easier.

The Musk-owned social media site initially did not respond to media outlets’ requests for information regarding the leak. But a week later, the company has since released a statement addressing it.

“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company wrote in a blog post Wednesday night. “The data is likely a collection of data already publicly available online through different sources.”

The company also noted that the leaked data did not contain passwords or any other information that could allow hackers to compromise users’ accounts. (Read: Reports indicate Twitter is looking to monetize popular usernames)

Bleeping Computer first reported that Twitter may have had a data breach on January 4 when it shared screenshots of some of the leaked data. As part of this, the cybersecurity-focused news outlet confirmed that the leaked data contained valid emails.

In addition, the site also linked the 235 million email/account pairs to an earlier leak from December 2022. This prior leak contained both phone numbers and emails linked to around 400 million user accounts—Twitter only had around 368 million active users during that month, meaning that the leaked data could theoretically encompass all of these accounts.

The site then stated that the January leak was a cleaned up version of the earlier data with fewer duplicates.

Both data leaks are thought to be related to an even earlier Twitter data breach, one which the company publicly acknowledged in August 2022. A flaw in the platform’s application program interface (API) supposedly allowed anyone to get a user’s Twitter ID by searching their phone or email even if the user did not have these publicly linked with their Twitter handle.

In its Wednesday blog post, however, Twitter has since denied this link. It claimed that an internal investigation found that both the December 2022 and January 2023 leaks “could not be correlated” with any previously reported incidents.

In addition, the blog post notes that Twitter is currently in touch “Data Protection Authorities and other relevant regulators…to provide clarification about the alleged incident.” However, it provides no further information on how accurate the data in the leaks are and how they ended up on the dark web.

If you like reading our content, why not show your appreciation by treating us to a cup of coffee? (or two, if you’re feeling generous)

Franz Co

managing editor | addicted to RGB | plays too many fighting games

%d bloggers like this: