Twitter says leaked data on 200 million users was likely publicly available info

Twitter on Wednesday addressed long-simmering rumors that hackers stole the information of more than 200 million users, claiming that there is “no evidence” the information being sold on the dark web came from the exploitation of a vulnerability in the company’s systems. 

The social media giant — which was purchased by Tesla CEO Elon Musk in October — said it investigated the issue and now believes that the information “is likely a collection of data already publicly available online through different sources.”

We were recently made aware of reports that Twitter user data was being sold online. After a comprehensive investigation, we found no evidence that this data originated from the exploitation of our systems. Read more here: https://t.co/4LnVG6gzae

— Twitter Support (@TwitterSupport) January 11, 2023

The situation began in January 2022, when the company was informed through its bug bounty program that a vulnerability allowed anyone to put an email address or phone number into Twitter’s system and find the account connected to it. 

The bug — which was traced back to a June 2021 update — was used by a hacker to get the personal information of 5.4 million users, something Twitter confirmed to The Record in August. 

Users and authorities were notified at the time but by November, several news outlets began reporting another breach. Twitter investigated that breach and compared it to the one reported in August, finding that the data contained in both was the same.

In December, a hacker going by “Ryushi" on cybercrime forum Breached demanded $200,000 for the emails and phone numbers of 400 million Twitter users, and last week yet another hacker offered the same information from 200 million Twitter users. 

“[The] 5.4 million user accounts reported in November were found to be the same as those exposed in August 2022. 400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident,” Twitter’s Incident Response and Privacy and Data Protection team said in their blog post on Wednesday. 

“[The] 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems. Both datasets were the same, though the second one had the duplicated entries removed. None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.”

Twitter did not respond to requests for more information or comment about the issue. The company said it has contacted data protection authorities in several countries to discuss the issue.

The statement did little to address the concerns of people who confirmed that their email addresses were in the January leak. The Executive Editor of PCWorld, Brad Chacos, confirmed on Wednesday that an ID Alert from American Express confirmed that his personal information connected to his Twitter account was found on the dark web. 

Reporters from The Guardian found that information from people like U.S. Congresswoman Alexandria Ocasio-Cortez and broadcaster Piers Morgan were included in the breach — with Morgan’s account recently suffering from a hack. 

Piers Morgan, who appeared in the data samples provided by the Twitter hacker, just had his account hacked.

This is likely not a coincidence: The reveal of the email address may have been just what the hacker needed to find passwords for the account, or social engineer his way. https://t.co/05z8gQm9ZW pic.twitter.com/Xgc2GRO7V1

— Hudson Rock (@RockHudsonRock) December 27, 2022

Both the FTC and Ireland’s Data Protection Commission have said they are investigating the issue and Twitter’s handling of security in general. 

The company’s Chief Information Security Officer Lea Kissner, Chief Privacy Officer Damien Kieran, and Chief Compliance Officer Marianne Fogarty all resigned at the end of November.

Some researchers believe the second 200 million offering resulted from someone combing through the 400 million account leak and removing the duplicates. That leak included account names, handles, creation dates, follower counts and email address.

Richard Forrest, legal director at law firm Hayes Connor, told The Record that when personal data is in jeopardy, individuals can fall victim to identity or takeover fraud, or phishing scams. 

“Criminals can then use this information to extract funds from the victim's bank account, as well as buy products and services, leading to both financial loss and emotional distress,” he said. 

“The public puts a lot of trust in social media platforms such as Twitter, with the expectation that their data is going to be handled securely.”

Twitter urged users to enable two-factor authentication and “remain extra vigilant when receiving any kind of communications over email.”