There’s a lot of Twitter news circulating these days, in the long and chaotic wake of Elon Musk’s takeover. But if you are (or ever were) a Twitter user, I promise, this particular story is probably something you probably want to keep tabs on.
The social media platform has claimed that a treasure trove of leaked user data, containing email addresses linked to about 235 million Twitter accounts, did not come from its systems. The compilation of user information ended up on a dark web marketplace, for sale for just about $2, earlier this month, according to multiple reports.
Though email addresses and corresponding Twitter handles might not seem like sensitive info, the leak prompted concerns that anonymous social media accounts could be tied to real-world identities and that the information would make hacking into accounts far easier. Initially, Twitter did not respond to media outlets’ requesting comment or information. But now, about a week later, the company has released a statement.
“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company wrote, regarding those 235 million user data points, in a Wednesday night blogpost. “The data is likely a collection of data already publicly available online through different sources,” the post claimed.
In the immediate aftermath of the leak’s detection on January 4, Bleeping Computer reportedly confirmed the validity of a number of the emails. The cybersecurity-focused news outlet also linked those 235 million emails/account pairs to an earlier December leak, containing both phone numbers and emails linked with about 400 million Twitter accounts. Note: Twitter only had around 368 million monthly active users in December 2022, so the leaked data could, in theory, encompass all of these accounts. Allegedly, the smaller January leak was a cleaned up version of the earlier data with fewer duplicates, according to Bleeping Computer.
And, in multiple reports, both of those data dumps were thought to be related to an even earlier security failure, which Twitter publicly acknowledged in August 2022. A fatal flaw in the social platform’s application program interface (API) allowed anyone to get the Twitter ID of a user by searching their phone or email—even if the user in question did not have their phone or email publicly linked with their Twitter handle. The company admitted that the API flaw was related to data being sold by a “bad actor,” and claimed to be notifying affected users.
Though, its Wednesday statement, Twitter has now denied this link. The company claims that, after an internal investigation, the December 400 million user leak “could not be correlated with the previously reported incident, nor with any new incident.” And that the January 200 million account dataset, “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.” Further, the company claimed that both datasets were the same, with the smaller one simply being cleaned of duplicates—supporting earlier reports.
Twitter’s blogpost also noted that the company is currently in touch with “Data Protection Authorities and other relevant regulators...to provide clarification about the alleged incident.” However, that’s where the site’s explanation ends. Twitter offered no additional information on how, exactly, accurate compilations of hundreds of millions of Twitter accounts’ data ended up on a hacker marketplace. And, obviously, the company denying responsibility doesn’t change that the information is out there.
Gizmodo reached out to Twitter for more information, but did not immediately receive a response. Following Musk’s acquisition of the site—the company dissolved its public relations department.
This entire data debacle is just the latest in Twitter’s long history of breaches and security failures. In 2020, a massive hack targeting celebrity users resulted in former President Barack Obama’s official account, among many others, tweeting out a crypto scam. And in 2019, the social media platform disclosed another breach that meant “private” tweets from Android users were not, in fact, private.
Ireland’s Data Protection Commission fined twitter more than half a million dollars for failing to promptly report and document that Android breach. The same Irish regulator is also investigating the platform’s API vulnerability, in a probe announced in December.