Twitter says leaked emails not hacked from its systems

Twitter has denied that emails allegedly linked to the accounts of millions of its users were obtained through a hack.

In its initial statement, it stated that “there is no evidence” that the data came from a flaw in its systems.

The records were most likely a collection of data that was “already publicly available online,” but it warned users to be wary of bogus emails.

Hudson Rock, the firm that raised the alarm about the alleged leaks, said it disagreed with Twitter’s findings.

“I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion that the data was an enrichment of some sort that did not originate from their servers,” said Alon Gal, co-founder of the cyber-crime intelligence firm.

Bug Bounties

In December, Ireland’s Data Protection Commission (DPC), Twitter’s lead EU regulator, announced that it was investigating a data leak involving 5.4 million accounts.

Twitter claims to have matched data revealed by a security flaw discovered during a system update in June 2021.

According to Twitter, the flaw meant that if someone obtained an email address or phone number, the faulty system could be used to identify any Twitter accounts associated with them.

Twitter claims it investigated and fixed the flaw after being alerted to it in January 2022 via a “bug bounty” scheme that rewards researchers who alert it to security issues.

Extortion from a Hacker Forum

Hudson Rock reported in December that a hacker named Ryushi was attempting to extort Twitter by threatening a larger leak.

Ryushi claimed to have a cache of leaked emails and phone numbers linked to over 400 million user accounts, which he offered to “sell” exclusively to Twitter.

Ryushi claimed to have obtained the data through a flaw in Twitter’s system.

Following reports of the threatened extortion, the DPC said it would “examine Twitter’s compliance with data protection law about that security issue”.

Leaked Once More

A different individual leaked emails linked to 200 million user accounts last week and made them available for anyone to download for a small fee.

Twitter claims that both datasets are the same, but that the smaller leak removed duplicated data, and neither came from exploiting the flaw.

“There is no evidence that the data being sold online was obtained by exploiting a vulnerability in Twitter systems, based on the information and intel analyzed to investigate the issue,” the company said.

“The data is most likely a compilation of already publicly available online data from various sources.”

Twitter did not say whether the email addresses were genuine or whether they were correctly matched with user accounts, and if so, how.

The news site Bleeping Computer had previously reported that it had verified a number of the email addresses.

Twitter advised users to “remain extra vigilant,” claiming that the leaked information could be used to create “very effective” phishing emails.

The social media giant also stated that it had informed the relevant data protection authorities of its findings.