Twitter Shifts Blame for 200 Million Leaked Emails

Twitter has refuted claims that the 200 million user emails and passwords leaked earlier this month were obtained through an exploit of its security systems. 

The social media giant said it had conducted a “comprehensive investigation” following reports that a dataset containing the account details of its users had been posted online, but failed to find any evidence of a vulnerability in its systems being the source of the leak. 

In its first statement on the incident, it wrote “there is no evidence” the data came from a flaw in its systems, instead stating that the collection of data was “already publicly available online through different sources.” 

The personal details found in the 200-million-email dataset, it wrote  “were found to be the same as those exposed in August 2022” and “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”

Cybersecurity researchers remain sceptical, however. Hudson Rock, the security watchdog that first notified Twitter of the leak, said it remained confident that the details leaked in the attack were authentic and not duplicates from previous attacks.

The firm’s cofounder, Alon Gal, told his LinkedIn followers yesterday “I believe that my previous assessment is still valid, meaning the database is authentic.”

"I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter's conclusion of the data being an enrichment of some sort which did not originate from their own servers,” he added. 

Twitter urged its users to "remain extra vigilant" and said the leaked information could be used by malicious actors to create "very effective" phishing email campaigns. 

Breach after Breach

Twitter’s latest data controversy comes less than a month after Ireland’s Data Protection Commission (DPC) announced that it had launched an investigation following reports that the data of 5.4 million Twitter users had been leaked online. 

The DPC is already investigating another breach from November 2021, when the emails and phone numbers linked to more than five million accounts were also leaked online.

Twitter’s handling of data, the DPC explained, “raised queries in relation to GDPR compliance,” after it was revealed the leaked data had come from a bug in the social media giant’s system that allowed users to identify any Twitter account through an email address or phone number. 

The bug was only discovered when a user enrolled in Twitter’s “bug bounty” scheme – which rewards researchers who identify security flaws – notified the social media giant of the flaw. 

Although Twitter claims that this latest data leak solely contains duplications from this same breach, technology news site Bleeping Computer said it had found that at least some of the personal details are authentic, matching Hudson Rock’s claims. 

Less than a week before the leak, Hudson Rock warned Twitter that a hacker under the pseudonym “Ryushi” had obtained private details linked to 400 million Twitter accounts that did not appear to be copied by the August leak. 

“Only 60 emails out of the sample of 1,000 provided by the hacker were duplicates of those from the previous breach, so we are confident that this breach is different and significantly ," Co-founder Mr Gal told the BBC.

The attack a week later differed greatly from the claims of Ryushi. For one, the dataset was only half the size of the original 400 million the hacker claimed to have obtained, and the dataset was posted for free – while Ryushi told Hudson Rock he would be selling the data he obtained.  

If this latest leak is indeed not related to the hacker, it will be yet another addition to the several breaches currently under investigation by the DPC, leading security experts to question whether Twitter may be struggling to protect its data following Musk’s takeover of the platform in October. 

Big Tech’s downplay of cybercrime

Security experts believe that Twitter’s latest leaked data may have been accessed by a newly discovered scraping attack enabled by a flaw in its security system where hackers trick a piece of Twitter’s application programming interface into revealing hidden details about accounts. 

To learn more about illegal data scraping, visit our dedicated Business Continuity Page

The strategy was used by hackers in Twitter’s November 2021 breach and has been used to target multiple social media platforms in the past. 

Previous data scraping exploitations of this kind have been routinely ignored by large tech firms and brushed away as not serious security flaws. 

In December 2020, for instance, the DPC was forced to fine Twitter €450,000 ($550,000) for failing to notify the cybersecurity watchdog of a breach within the 72-hour timeframe required by the EU's General Data Protection Regulation (GDPR).

Meanwhile, in November last year, Meta was hit with a 265m-euro ($276m) fine by the DPC after the personal data of more than half a billion users was scraped and sold on a hacking site.