Twitter said Wednesday that an investigation found no “evidence” that user data sold online was obtained by exploiting security vulnerabilities in its systems.
“Based on the information analyzed to investigate the issue and Intel, there is no evidence that data sold online was obtained by exploiting vulnerabilities in Twitter systems,” the company said. Said in a statement. “The data can be a collection of data already published online through various sources.”
The disclosure said Twitter data belonging to millions of users (5.4 million in November 2022, 400 million in December 2022 and 200 million last week) is being sold on online crime forums. We have received multiple reports.
The social media giant further said the breach “could not be correlated with any previously reported or new incidents,” adding that the passwords were not made public. The two datasets are said to be identical, the latter having duplicate entries removed.
In August 2022, Twitter acknowledged that a June 2021 code change introduced an API bug that allowed users to link their Twitter account to a specific email address or phone number. This vulnerability was then exploited to steal the information of 5.48 million user profiles.
Ryushi, the threat actor who advertised the data dump on the Breached hacking forum in December 2022, claimed that the information was compiled using the currently patched vulnerability. It is currently unknown how the dataset was obtained and whether it was collected before the vulnerability was patched in January 2022.
Ireland’s Data Protection Commission (DPC) announced last month that it was investigating a data breach in November on 5.4 million Twitter users worldwide.
The Elon Musk-owned company has also been in contact with relevant data protection authorities to clarify “suspicious incidents” while warning users to enable two-factor authentication (2FA), beware of potential phishing attacks.
