Twitter has denied that it was hacked and the data being sold online was stolen from its systems. Last week, Alon Gal, co-founder of Israeli cybersecurity-monitoring firm Hudson Rock posted on LinkedIn that he had discovered stolen data, which contained email addresses of more than 200 million Twitter users. Gal wrote that the data was posted on an online hacking forum and that the breach would likely lead to “hacking, targeted phishing and doxxing,” and termed it a ‘significant leak.’ He said that Twitter had not responded to him when he had alerted the company about the same.
Now, Twitter has issued a response, stating, “in response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.”
Meanwhile, in a new post on LinkedIn, Gal disagreed with Twitter’s response. “The authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments,” he wrote.
Twitter says no evidence of new breach
Twitter previously reported that the data of 5.4 million accounts was compromised due to a bug, which was fixed. In January 2022, Twitter was informed of a vulnerability in its systems, where its systems would automatically tell which email address or phone number was linked to an associated account.
Twitter later learnt in July 2022 that hackers had “leveraged this” flaw and were able to scrape information of users, including data and mobile numbers and were selling it online. It informed users whose accounts were impacted. In its latest post, Twitter said that the data of 5.4 million accounts was impacted by the bug and that this was fixed. The post adds the latest dataset of 200 million users “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
According to Twitter, “None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.” In December 2022, another set of reports said that 400 million email addresses and phone numbers were stolen from Twitter– which the company has denied as well.
Twitter and the case of 600 million email ids
Meanwhile, according to the researcher, who first posted on social media on December 24 last year, the data was shared on online hacker forums and contained around 200 million email addresses of Twitter users. There were no clues to the identity or location of the hacker or hackers behind the breach. In his latest post, Gal wrote, “I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion of the data being an enrichment of some sort which did not originate from their own servers.”
It is not clear when the data was stolen. Given the company has admitted to the vulnerability in the past, the scraping likely took place in 2021, well before Elon Musk took ownership of the company.
Why email id theft is a risk
The reason why the theft of emails and phone numbers poses such a big risk is that it put users’ accounts at risk of phishing and doxxing, especially if hackers can link which account is linked to which email id/phone number. When hackers have access to a large set of email ids and phone numbers, they can carry out targeted phishing attacks in an attempt to lure unsuspecting victims.
Most cybersecurity experts recommend that users double-check emails or messages claiming to be from a company, especially those that ask for passwords or other sensitive information. For instance, one common scam on social media platforms is a Direct Message sent from an account which claims to be from Twitter support. The user is warned that their content is violating some rules and they are asked to enter login details again or else the account will be blocked. This is typically a scam with hackers attempting to take over an account. That’s because Twitter is unlikely to send warnings via Direct Messages. One should ideally ignore such messages and mark them as spam.
Users should always double check the url where they are entering their login details as well. The url typically should have the padlock symbol in the beginning and start with HTPPS. Also check for spelling errors which are common in most phishing urls.