Twitter Says “No Evidence” That User Data Sold Online Came From Hack
Twitter said that after investigating reports that data on more than 400 million users was sold online, it found “no evidence” that it was obtained by exploiting vulnerabilities in its systems.
The Elon Musk-owned social network provided details of the investigation in a blog posts Wednesday. In December 2022, a hacker claimed to offer over 400 million Twitter-associated user emails and phone numbers for sale on the black market, according to press reports. Earlier this month, “a similar attempt to sell data from 200 million Twitter-linked accounts was reported in the media,” which Twitter said was the same data set reported in December with duplicates removed.
More from Variety
Based on the investigation, “there is no evidence that the data sold online was obtained by exploiting a vulnerability in Twitter systems,” the company said. “The data is likely a collection of data that is already publicly available online through various sources.”
Twitter noted that in August 2022, the company disclosed that it had received a report last January through its bug bounty program about a vulnerability in Twitter’s systems that allows someone to use email addresses or phone numbers to reveal Twitter accounts associated with the information. . The company said it updated the code in June 2021 to fix the bug.
In July 2022, Twitter “learned through a press release that someone had potentially exploited [the vulnerability] and offered to sell the information they had collected,” the company said. “After reviewing a sample of available sales data, we confirmed that a bad actor had exploited the issue before it was addressed.” Twitter said it notified affected users “immediately” of the issue. Media reports in November said 5.4 million Twitter user accounts were sold online; according to Twitter’s investigation, it was the same accounts that were exposed in August 2022.
Twitter said it is “in contact with data protection authorities and other relevant regulators” in various countries “to provide clarification on the alleged incidents.”
The company also said that while no passwords were exposed in the incidents, it encourages all Twitter users to enable two-factor authentication using authentication apps or hardware security keys to protect against unauthorized logins.
“We also encourage Twitter users to be extra vigilant when receiving any kind of communication over email, as threat actors can leverage the leaked information to create highly effective phishing campaigns,” the company said in the blog post. “Be wary of emails that give a sense of urgency and emails that ask for your private information, always double-check that emails are coming from a legitimate Twitter source.”
Since Musk bought Twitter in a $44 billion deal in October, he has laid off half of the company’s employees, claiming it was losing more than $4 million a day, and kicked hundreds more out the door after he demanded they pledge to work “extremely hardcore” relationship. The number of employees at Twitter has fallen by almost 75% since Musk took over.
In December, Musk said he will step aside as CEO when he finds someone “stupid enough to take the job” but will continue to run the software and server teams.
Best of Variety
Sign up for Variety’s newsletter. For the latest news, follow us on Facebook, Twitter and Instagram.
Click here to read the full article.