On Wednesday, Twitter claimed that its investigation had turned up “no evidence” that any security flaws in its systems had been used to access user data that was being sold online.
According to data and intelligence analyzed to look into the matter, the business stated in a statement, “There is no proof that the data being sold online was obtained by utilising a weakness of Twitter systems.” The information is probably a compilation of information that is already freely accessible online from many sources.
The revelation follows many claims that large amounts of user data from Twitter – including that of 200 million users last week and 5.4 million users in November 2022 – have been made available for purchase on dark web marketplaces.
The social media titan added that no passwords were revealed and that the breach “could not be associated with the previously disclosed incident, nor with any new event.” The January dataset had duplicate items deleted, but the two datasets presented in December are reported to be similar.
Twitter acknowledged that an API flaw triggered by a code change in June 2021 allowed users to link their Twitter accounts to certain email addresses or phone numbers in August 2022. The bug was then used to scrape the information of 5.48 million user profiles.
This is coming a few months after the hackers responsible for the FBI Infragard database attack put up the database for sale. Watch this video here by SLYTECH tracking the platform where the data was uploaded for sale as well as exploring the Twitter database put up for sale on the same forum.
The threat actor Ryushi claimed the data was gathered using the now-fixed vulnerability when he posted an advertisement for the data dump on the Breach Forums platform in December 2022. The dataset’s origin and whether it was compiled before the issue was fixed in January 2022 are unknown at this time.
The Irish Data Protection Commission (DPC) revealed last month that it is looking into the global data leak in November involving 5.4 million Twitter users, which Twitter claims is “the same as those disclosed in August 2022.”
In order to clarify the “reported instances,” the Elon Musk-owned company also stated that it is in contact with the appropriate data protection authorities. Users are advised to enable two-factor authentication (2FA) and to be vigilant for any phishing efforts.