Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Twitter Finds No Evidence of Vulnerability Exploitation in Recent Data Leaks

Twitter says it has analyzed the recently advertised databases allegedly containing the information of hundreds of millions of its users and found no evidence that a vulnerability has been exploited.

Twitter says it has analyzed the recently advertised databases allegedly containing the information of hundreds of millions of its users and found no evidence that a vulnerability has been exploited.

In August 2022, Twitter informed customers that a vulnerability in its systems had been exploited to obtain user data. The flaw, patched in January 2022, was used to determine whether a specified phone number or email address were tied to an existing Twitter account.

Twitter confirmed exploitation of the vulnerability after reports started circulating that the flaw had been leveraged to collect data on 5.4 million users.

A few months later, a cybersecurity expert said he had obtained a database that appeared to show the Twitter data breach was far bigger than initially reported, with tens of millions of impacted accounts.

Twitter said the data was the same in both cases, but it never clarified exactly how many users are believed to be impacted.

In December, just before Christmas, someone offered to sell a database of 400 million Twitter user records allegedly obtained through the exploitation of the same flaw.

A few weeks later, in early January, an individual leaked a database containing the information of roughly 235 million Twitter users, including name, username, email addresses, follower count, and account creation date. Experts who analyzed the publicly available data said it likely came from web scraping.

Twitter confirmed on Wednesday that the 200 million records were not obtained through the exploitation of the vulnerability patched in January 2022, nor other weaknesses in its systems.

Advertisement. Scroll to continue reading.

In addition, the social media giant clarified that the 200 million records actually appear to be the same dataset as the previously sold 400 million records, but with duplicate entries removed.

The company also clarified that none of the leaked databases contained any passwords or other information that could lead to passwords getting compromised.

“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources,” Twitter said.

Ireland’s Data Protection Commission (DPC) announced in December that it had launched an investigation in response to the data leak reports involving 5.4 million Twitter users.

In the statement published this week, Twitter said, “We are in contact with Data Protection Authorities and other relevant regulators from different countries to provide clarification about the alleged incidents, and we will continue to do so.”

Just like Facebook, Twitter has its European headquarters in Ireland. Facebook and Instagram have been issued hundreds of millions of euros in fines in the past year in Ireland over data privacy violations.

The individual offering to sell the 400 million records was actually hoping that the massive fines issued to other social media companies would convince Twitter to buy the data itself to prevent it from getting leaked.

Related: Twitter Logs Out Some Users Due to Security Issue Related to Password Resets

Related: Twitter Security Chief Resigns as Musk Sparks ‘Deep Concern’

Related: Twitter Ex-Security Chief Tells US Congress of Security Concerns

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights