Twitter claims ‘no proof’ 200 million leaked usernames and email addresses came from exploiting its system
A database posted online claims to reveal more than 200 million related Twitter usernames and email addresses. Now, a few days after the initial reports, Twitter says “The dataset cannot be correlated with a previously reported incident or any data derived from exploiting the Twitter system.”
Based on Reports from security researchers and the media including BleepingComputerThe credentials in the leak were aggregated from a number of previous Twitter breaches dating back to 2021. However, according to Twitter, “there is no evidence that the recently sold data was obtained by disclosure. exploit the vulnerability of the Twitter system”.
Its statement refers to the information in the dataset simply by saying, “Data can be a collection of data that is already publicly available online through various sources.”
precipice has reached out to Twitter for further clarification on the accuracy of the recordings in the leak, but Twitter has not had a functioning press office since it was acquired by Elon Musk.
The 5.4 million user accounts reported in November were found to be identical to those exposed in August 2022.
The 400 million cases of user data in the second alleged breach cannot be correlated with the previously reported incident, nor with any new incidents.
The 200 million dataset cannot be correlated with the previously reported crash or any data derived from exploiting the Twitter system.
Both datasets are the same, although the second has removed duplicate entries.
None of the data sets analyzed contained passwords or information that could lead to passwords being compromised.
“This is one of the most serious leaks I have ever seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the data. above LinkedIn. “[It] will unfortunately lead to a lot of hacks, targeted scams and doxxing.” The datasets don’t contain passwords, as experts and Twitter have pointed out, but email addresses can still be particularly useful for hackers targeting specific accounts.
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshot of the database shared by BleepingComputer shows that it contains some text files that list the email address and Twitter username associated with it, as well as the user’s real name (if they’ve shared them with the site), their follower count, and the date create Account. BleepingComputer said it had “validated multiple email addresses listed in the leak” and that the database was sold on a hacking forum for just $2.
Troy Hunt, the creator of the cybersecurity warning website I was Pwnedalso analyzed the violation and shared his conclusions on Twitter: “Found 211,524,284 unique email addresses, looks like its description.”
Violations have now been added to Have I been Pwned’s system, meaning anyone can access the website and enter their email address to see if it’s included in the database.
The origin of the database seems to be traced back to 2021, report washington articles, when hackers discovered a vulnerability in Twitter’s security system. The vulnerability allows malicious actors to automatically look up accounts — bulk entering email addresses and phone numbers to see if they’re associated with a Twitter account.
Twitter disclosed this vulnerability in August 2022, said they fixed the issue in January of that year after it was reported as a bug bounty. The company claimed at the time that there was “no evidence that anyone took advantage of the vulnerability,” but cybersecurity experts did. discovered database of twitter logins for sale in July of that year.
The company also said on Wednesday that its investigations revealed that about 5.4 million user accounts were exposed in November. That appears to be the only data set it attributed to the vulnerability that existed. for years, which went unnoticed by Twitter for about seven months.
The breach is just the latest cybersecurity incident to affect Twitter, which has long struggled to protect users’ data. The company has been and is investigated by the EU for violations (based on first reports as of July 2022) and is being probed by the FTC for similar security flaws. Last August, Twitter’s former chief security officer accused the company, Peiter “Mudge” Zatko, of filing a complaint with the US government in which he claimed that the company had cover up “serious shortcomings” in its cybersecurity defenses.
Update Jan 11, 4:05 p.m. ET: Added Twitter’s response to the incident claiming that there is no evidence linking most of the leaked IDs to data from its systems.