The leak of over 200 million email addresses belonging to Twitter users is not a result of an internal vulnerability being abused, the company has claimed.
In an update (opens in new tab) posted to the company website, the microblogging platform addressed the speculations that the threat actors abused the same vulnerability that was patched in January 2022, which hackers used to share details on more than five million Twitter users.
“In response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems,” the company said. “[The] 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems,” it added.
Data taken elsewhere
“None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.” Instead, Twitter believes the leak is an amalgamation of publicly available databases gathered elsewhere, likely through separate leaks. “The data is likely a collection of data already publicly available online through different sources,” it claims.
Some experts are questioning Twitter’s arguments, asking why the company did not explain how the leaked data was accurately linked to email addresses associated with people’s Twitter accounts.
The microblogging platform said it reached out to relevant data protection authorities and other organizations to provide more details about the incident.
In late November 2022, researchers discovered a major data dump of sensitive identity information (opens in new tab), claiming it was probably due to a vulnerability that allowed anyone to cross-check if an email address or a phone number was associated with a Twitter account, and if so – which one.
Millions of users from the US and EU were exposed, and the media managed to confirm the authenticity of at least some of the data posted to the dark web.
Via: BleepingComputer (opens in new tab)