Published:
Twitter has found that data released online containing hundreds of millions of users’ names and contact information isn’t from an earlier data leak, and nor has there been a new leak.
Alon Gal founder of security firm Hudson Rock, who was one of the first to publicly mention the leaked data, wrote on Linkedin, “this is one of the most significant leaks I’ve seen.”
In June 2021, an update caused a vulnerability that allowed a malicious actor to obtain the email address or phone number associated with an account. The vulnerability was revealed to Twitter in January 2022, and Twitter immediately fixed the bug.
This has nothing to do with the most recent user data available online, Twitter says.
In July 2022, a press report revealed that a malicious actor had potentially exploited the vulnerability before it was fixed and was selling the personal details of 5.4 million Twitter users online.
Twitter investigated the incident, confirmed the report, and told affected users and authorities. Then, in November, another report of Twitter user data being sold online surfaced.
Twitter’s response team investigated and determined that the most recent data being sold online was the same data that was being sold in July 2022.
Twitter Says the New Database is Likely a Collection of Data Already Available Online
At the end of 2022, there were reports that 400 million personal data records were available online. Then, in early 2023 similar reports of 200 million records being sold online also surfaced.
The individual selling the records claimed to have gained access to the personal details through the same vulnerability that caused the data leaks in 2022.
After another investigation, Twitter determined that the data in the December 2022 and January 2023 datasets was not correlated to the data leak in July 2022 and that there has been no new vulnerability exploited or data leak.
They also said that the 200 million user dataset was the same as the larger one but with duplicate records removed. Twitter wrote,
Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources.
After Twitter released its statement on the data leak, Gal wrote on Linkedin,
Having discussed it with other security professionals and conducting my own research around it, I believe that my previous assessment is still valid, meaning the database is authentic. For example, the authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments.
That leaves Twitter users wondering how 200 million data records managed to end up in a publicly accessible database.
Read More
Margherita Pepper