The loss of more than 200 million email addresses belonging to Twitter users, stolen data that ended up on the black market of the web in November 2022, would not be the result of an attack that exploited the platform’s internal vulnerability. Or at least that’s what the company claims. Experts, however, do not seem to believe too much in this version.
Twitter’s response comes after some speculation that a vulnerability dating back to 2021 was responsible for the data leak. The company fixed the vulnerability in January 2022 and has now strongly rejected those who believe that this was the gateway for hackers.
What Happened: The data stolen in November and the company’s whereabouts today
In November 2022, a few months ago, a forum hacker had published online the data of over 5.4 million Twitter accounts, apparently stolen earlier this year. Furthermore, it appeared that the hackers had also stolen the information of over 1.4 million accounts suspendedbut this data was only shared privately.
The common opinion, as mentioned, was that the hackers had exploited the correct vulnerability in January 2022. In fact, it is believed that the data was stolen in early 2022, despite being put “for sale” at the end of the year. Right away Twitter’s formal response:
“We have conducted a thorough investigation and there is no evidence that the recently sold data was obtained by exploiting a vulnerability in Twitter’s systems. The 200 million dataset cannot be correlated with the previously reported incident or any data from an exploitation of Twitter’s systems. None of the analyzed datasets contained passwords or information that could lead to passwords being compromised.”
In short, Twitter, in practice, it was not enough. The company then claims that that specific database, thought to be vulnerable to attacks, simply didn’t contain the data that ended up on the net. “The stolen data likely comes from databases collected elsewhere, available online through various sources,” Twitter said.
However, this position has not convinced the experts. They ask Twitter for more information, as they do not believe in the theory of “that database did not contain sensitive information”.