Twitter claims that 600 million personal information leaked from Twitter was not acquired by exploiting Twitter's vulnerability

Regarding the series of reports that a total of 600 million personal information was leaked, Twitter said, ``We could not find any evidence that the data was obtained by exploiting Twitter's vulnerability.'' announced the results of the survey. In response to this report, several media officials have pointed out that there are unclear points.

Update about an alleged incident regarding Twitter user data being sold online

Twitter claims leaked data of 200M users not stolen from its systems

Twitter says no evidence new user data leaks were obtained via system bug | Reuters

The origin of this problem was a bug discovered in January 2022, ``If you enter an email address or phone number into the Twitter system, you can get a Twitter ID linked to it.'' The TwitterAPI vulnerability was quickly fixed after being reported to Twitter through a bug bounty program, but it was discovered that 5.4 million people's data obtained by exploiting the vulnerability was traded on the dark web. This was revealed in the August report.

Account information for 5.4 million people leaked from Twitter and hackers sold for 4 million yen - GIGAZINE

In November 2022, it was reported that 5.4 million pieces of data were circulating on the dark web, and in December, a hacker who claimed to have stolen 400 million pieces of data was Twitter CEO Elon Musk. A name-threatening incident has occurred. Furthermore, since January 2023, it has been reported that the data of more than 200 million Twitter accounts has been sold for just $ 2 (about 260 yen).

The following is a summary of the Twitter data breach issues reported so far.
・August 2022: 5.4 million
・November: 5.4 million
・December: 400 million
・January 2023: 200 million

Twitter, which was investigating a series of issues, reported on January 11, 2023 the results of a comprehensive investigation by its privacy and data protection team and incident response team.

According to Twitter, the 5.4 million user data reported in August 2022 were indeed due to Twitter's vulnerability. It was also confirmed that the 5.4 million data leaks reported in November of the same year were the same data as in August.

However, for the remaining 400 million and 200 million data, he said, ``We found no evidence that this data was derived from the exploitation of our system.'' He indicated that it was not stolen by misusing it.

In addition, the 200 million data reported in January 2023 were the same as the 400 million data leaked earlier, with duplicates removed, and the data content was the same. In addition, we found no passwords or information that could lead to password compromise in this data.

However, skepticism has also been raised by the media. Prior to the August 2022 report, BleepingComputer, an IT news site that discovered that Twitter data had been stolen in July and reported it to Twitter, said, ``The data of leaked Twitter users is integrated. It was not explained why it was linked exactly to the email address associated with the account.'

CNN's technology reporter Brian Fung also said, 'I'm a little confused by what Twitter is trying to say. 'Comparing the 400 million and 200 million data to the 5.4 million previously leaked data. I did a search and found no duplicates, so there is no evidence coming from an API vulnerability.' If so, isn't that necessarily conclusive?'

in Web Service,   Security, Posted by log1l_ks