Twitter on Wednesday said that its investigation found “no evidence” that users’ data sold online was obtained by exploiting any security vulnerabilities in its systems.
“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said in a statement. “The data is likely a collection of data already publicly available online through different sources.”
The disclosure comes in the wake of multiple reports that Twitter data belonging to millions of users – 5.4 million in November 2022, 400 million in December 2022, and 200 million last week – have been made available for sale on online criminal forums.
The social media giant further said the breach “could not be correlated with the previously reported incident, nor with any new incident,” adding no passwords were exposed. The two datasets published in December and January are said to be identical, with the latter having duplicated entries removed.
Twitter, in August 2022, acknowledged that a code change in June 2021 introduced an API bug that enabled users to link Twitter accounts to a particular email address or phone number. The flaw was subsequently exploited to scrape the information of 5.48 million user profiles.
Ryushi, the threat actor who advertised the data dump on the Breached hacking forum in December 2022, claimed the information was compiled using the now-fixed vulnerability. It’s currently not known how the dataset was obtained and if it was amassed prior to the patching of the flaw in January 2022.
The Irish Data Protection Commission (DPC) announced last month it is investigating the leak of data pertaining to 5.4 million Twitter users worldwide in November, which, according to Twitter, is “the same as those exposed in August 2022.”
The Elon Musk-owned company also said it’s in contact with relevant data protection authorities to clarify the “alleged incidents,” while warning users to enable two-factor authentication (2FA) and be on the lookout for potential phishing attempts.