Twitter finally addressed reports that a dataset of email addresses linked to hundreds of millions of Twitter users was leaked and put up for sale online, saying that it found no evidence the data was obtained by exploiting a vulnerability in its systems.
“In response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems,” the company said.
In August, the company confirmed that a data leak impacting 5.4 million Twitter users resulted from threat actors exploiting a vulnerability fixed in January 2022.
This flaw enabled the attackers to link email addresses and phone numbers to Twitter users’ accounts.
Today, Twitter said that another dataset containing email addresses linked to 200 million Twitter users that reportedly got leaked online earlier this month was not obtained by exploiting the vulnerability patched in January 2022.
“[The] 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems,” Twitter said.
“None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.”
We were recently made aware of reports that Twitter user data was being sold online. After a comprehensive investigation, we found no evidence that this data originated from the exploitation of our systems. Read more here: https://t.co/4LnVG6gzae
— Twitter Support (@TwitterSupport) January 11, 2023
The company added that “based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems. The data is likely a collection of data already publicly available online through different sources.”
However, Twitter failed to explain in today’s statement how the Twitter users’ leaked data was accurately linked to email addresses associated with their accounts.
Twitter added that it’s currently in contact with Data Protection Authorities and other relevant data regulator bodies in multiple countries to provide additional details regarding the “alleged incidents.”
In December 2022, the Irish Data Protection Commission (DPC) announced that it launched an inquiry and “raised queries in relation to GDPR compliance” following news reports that the personal information of 5.4 million Twitter users was leaked online.
Two years before, in December 2020, the DPC fined Twitter €450,000 (~$550,000) after it failed to notify the data watchdog of a breach within the 72-hour timeframe required by EU’s General Data Protection Regulation (GDPR).