A new statement claims that the pile of records of over 200 million Twitter accounts recently put up for sale on the dark web was not obtained through a compromise of the social media company’s IT systems.
Twitter says the dataset is the same one cited in a report that collected 400 million accounts dating back to December, except duplicate entries have been removed. am.
However, it was not related to the breach of Twitter records of 5.4 million users confirmed in August 2022. This dates back to a zero-day vulnerability in the company’s code base that was patched last January.
In fact, the social media giant claims the 200+ million leaks have nothing to do with misuse of Twitter’s systems.
“Based on the information and intelligence analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting vulnerabilities in Twitter systems.” said. “The data can be collections of data already published online through various sources.”
Twitter has tried to reassure users by confirming that “none of the analyzed datasets contained passwords or information that could lead to password compromise.”
However, there are concerns that currently circulating datasets on the dark web associate user account email addresses and phone numbers with Twitter handles.
This exposes countless users to phishing attacks where they can be tricked into handing over their credentials. Unless multi-factor authentication is enabled, it can lead to account takeover.
Twitter did not explain how the threat actors behind the data breach would link these emails to the relevant user accounts.
‘Be wary of emails that convey a sense of urgency or request personal information, and always double-check that the email is coming from a legitimate Twitter source,’ concludes the advice.
However, the researchers who originally uncovered the 200 million user dataset did not seem convinced by Twitter’s latest document, claiming that a third-party compromise was the most likely cause of the breach. increase.
Hudson Rock CTO Alon Gal said:
“For example, the authenticity of the leak is evident in the absence of false positives between Twitter usernames and emails found in the database. [as opposed to] Data enrichment case. “
Editorial credit: Ink Drop / Shutterstock.com
