Twitter Says ‘No Evidence’ User Data Being Sold Online Came From Hack

/in


Twitter said that after investigating reports that data on upwards of 400 million users was being sold online, it found “no evidence” that was obtained by exploiting vulnerabilities in its systems.

The Elon Musk-owned social network provided details on the investigation in a blog post Wednesday. In December 2022, a hacker was claiming to be offering over 400 million Twitter-associated user emails and phone numbers for sale on the black market, according to press reports. Earlier this month, “a similar attempt to sell data from 200 million Twitter-associated accounts was reported in the media,” which, according to Twitter, was the same dataset that was reported in December with duplicates removed.

Based on its investigation, “there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said. “The data is likely a collection of data already publicly available online through different sources.”

Twitter noted that in August 2022, the company disclosed that it had received a report in January of last year through its bug-bounty program of a vulnerability in Twitter’s systems that let someone use email addresses or phone numbers to reveal Twitter accounts associated with the info. The company said it updated its code in June 2021 to fix the bug.

In July 2022, Twitter “learned through a press report that someone had potentially leveraged [the vulnerability] and was offering to sell the information they had compiled,” the company said. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.” Twitter said it notified affected users “promptly” of the issue. Media reports in November said 5.4 million Twitter user accounts were being sold online; according to Twitter’s investigation, those were the same accounts that were exposed in August 2022.

Twitter said it is “in contact with data protection authorities and other relevant regulators” in different countries “to provide clarification about the alleged incidents.”

The company also said that, while no…

Source…