Twitter says it has analyzed the recently advertised databases allegedly containing the information of hundreds of millions of its users and found no evidence that a vulnerability has been exploited.
In August 2022, Twitter informed customers that a vulnerability in its systems had been exploited to obtain user data. The flaw, patched in January 2022, was used to determine whether a specified phone number or email address were tied to an existing Twitter account.
Twitter confirmed exploitation of the vulnerability after reports started circulating that the flaw had been leveraged to collect data on 5.4 million users.
A few months later, a cybersecurity expert said he had obtained a database that appeared to show the Twitter data breach was far bigger than initially reported, with tens of millions of impacted accounts.
Twitter said the data was the same in both cases, but it never clarified exactly how many users are believed to be impacted.
In December, just before Christmas, someone offered to sell a database of 400 million Twitter user records allegedly obtained through the exploitation of the same flaw.
A few weeks later, in early January, an individual leaked a database containing the information of roughly 235 million Twitter users, including name, username, email addresses, follower count, and account creation date. Experts who analyzed the publicly available data said it likely came from web scraping.
Twitter confirmed on Wednesday that the 200 million records were not obtained through the exploitation of the vulnerability patched in January 2022, nor other weaknesses in its systems.
In addition, the social media giant clarified that the 200 million records actually appear to be the same dataset as the previously sold 400 million records, but with duplicate entries removed.
The company also clarified that none of the leaked databases contained any passwords or other information that could lead to passwords getting compromised.
“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources,” Twitter said.
Ireland’s Data Protection Commission (DPC) announced in December that it had launched an investigation in response to the data leak reports involving 5.4 million Twitter users.
In the statement published this week, Twitter said, “We are in contact with Data Protection Authorities and other relevant regulators from different countries to provide clarification about the alleged incidents, and we will continue to do so.”
Just like Facebook, Twitter has its European headquarters in Ireland. Facebook and Instagram have been issued hundreds of millions of euros in fines in the past year in Ireland over data privacy violations.
The individual offering to sell the 400 million records was actually hoping that the massive fines issued to other social media companies would convince Twitter to buy the data itself to prevent it from getting leaked.