Twitter, the popular social media platform, has denied recent claims that emails linked to millions of its users’ accounts were obtained through a hack. In its first statement on the matter, the company wrote “there is no evidence” the data came from a flaw in its systems. The records were instead probably a collection of data “already publicly available online”, although it urged users to be wary of bogus emails and to remain extra vigilant.
The firm which raised the alarm about the alleged leaks, Hudson Rock, a cyber-crime intelligence company, said it disputed Twitter’s findings. Alon Gal, the company’s co-founder, said: “I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion of the data being an enrichment of some sort which did not originate from their own servers.”
In December, Ireland’s Data Protection Commission (DPC) Twitter’s lead regulator in the EU, announced it was investigating a leak of data linked to 5.4 million accounts. Twitter says it matched data revealed by a security flaw caused by a system update in June 2021. The flaw meant, Twitter says, that if someone obtained an email address or phone number, the faulty system could be used to identify any Twitter accounts that were connected to them.
Twitter says it investigated and fixed the fault when it was warned about it in January 2022 through a “bug bounty” scheme that rewards researchers who alert it to security problems. In December, Hudson Rock reported that a hacker called Ryushi was attempting to extort Twitter using the threat of an even bigger leak. Ryushi claimed to have a trove of leaked emails and phone numbers associated with over 400 million user accounts, and offered to “sell” them exclusively to Twitter. The flaw in Twitter’s system was how Ryushi claimed to have obtained the data.
Following reports of the threatened extortion, the DPC said it would “examine Twitter’s compliance with data protection law in relation to that security issue”. Last week, a different individual leaked what they said were emails linked to 200 million user accounts, and made them available for anyone to download for a small fee. Twitter says both datasets are the same, but with duplicated data removed in the smaller leak, and that neither came from using the flaw.
“Based on information and intel analysed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said. “The data is likely a collection of data already publicly available online through different sources.” Twitter did not say whether the email addresses are genuine or if they were correctly matched with user accounts, and, if so, how that was accomplished.
Twitter also warned users to be extra vigilant, as the leaked information could be used to create “very effective” phishing emails, and added that it has communicated its findings to the relevant data protection authorities. It’s important for users to be aware that their personal information is vulnerable and should be protected, and to be cautious of unsolicited emails or messages. Twitter has urged users to secure their accounts by enabling two-factor authentication, and to be vigilant about not giving out personal information to unknown sources.