Twitter has provided an update on a data breach incident that occurred earlier this year, clarifying that there was no evidence that the data involved was obtained by exploiting a vulnerability in its systems.
About one week ago, Twitter received a report through its bug bounty program of a security vulnerability affecting its systems. The vulnerability could allow someone to submit an email address or phone number to Twitter's systems and receive information about the associated Twitter account. The issue was promptly investigated and fixed.
However, in July 2022, it was discovered that a bad actor had taken advantage of the vulnerability before it was addressed. Twitter promptly notified affected users and relevant authorities of the incident. Then, in November, press reports emerged that Twitter users' data had been allegedly leaked online.
Additionally, in December, press reports stated that someone claimed to have access to over 400 million Twitter-associated user emails and phone numbers, and that the data had been exposed through the same vulnerability discovered in January 2022. Recently, a similar attempt to sell data from 200 million Twitter-associated accounts was reported in the media.
[RELATED: Twitter Data Breach Exposes Email Addresses of 200 Million Users]
Twitter's Incident Response and Privacy and Data Protection teams investigated the incident and concluded the following:
-
"5.4 million user accounts reported in November were found to be the same as those exposed in August 2022."
-
"400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident."
-
"200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems."
-
"Both datasets were the same, though the second one had the duplicated entries removed."
-
"None of the datasets analyzed contained passwords or information that could lead to passwords being compromised."
A recent update from Twitter said this about the situation:
"Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources."
Twitter is in contact with data protection authorities and other relevant regulators from different countries to provide clarification about the alleged incidents and will continue to do so, the update stated.
The company encourages users to enable multi-factor authentication (MFA) and to remain vigilant when receiving any kind of communications over email, as threat actors may leverage the information to conduct phishing or other malicious activities.
This should serve as a reminder of the importance of protecting personal information online and the potential consequences of security vulnerabilities. It also highlights the need for companies to promptly address and disclose security incidents to protect the privacy of their stakeholders.
Follow SecureWorld News for more stories related to cybersecurity.
