Following the latest database leak, including Twitter usernames and other information of over 200 million Twitter users, the micro-blogging company has come out with an explanation stating that the data wasn’t sourced from a flaw in their systems as was previously believed.
This database was a cleaned-up version of another one containing the information of over 400 million Twitter users, which leaked in December 2022. This means that the first leak — a database with 5.4 million Twitter users remains the only one collected through Twitter’s now infamous API flaw.
Twitter fixed the bug upon discovery via its HackerOne bug bounty program in January 2022. It resulted from an update to the codebase made in June 2021. The company immediately fixed the issue but found no evidence of any exploits.
Later in July last year, Twitter learned through a press report that the vulnerability had been explored and the information collected was being sold. After reviewing a sample of the data that the threat actor was selling, Twitter could confirm that the vulnerability had been exploited before it was patched.
According to Twitter’s update, “there is no evidence that recently sold data was obtained by exploiting a vulnerability of Twitter systems”. The company insists that the 200 and 400 million datasets cod not be correlated with any previously reported incident or a new one.
The source of this latest breach is unknown, although Twitter believes that it’s likely a collection of publicly available data compiled through different sources. The company is in contact with relevant data protection authorities and regulators from different countries to provide clarification about these alleged breaches.
Finally, none of the leaked datasets contained any passwords or information that could lead to a password compromise. Regardless, they still expose Twitter usernames, email addresses, account creation dates and other important information that can be used to target millions of users with phishing attacks.