The first security incident of the Musk era—a purported data breach that allegedly exposed the contact information of millions of users—finally prompted Twitter to end its silence.
By exploiting a zero-day security hole in Twitter’s systems, which was previously held responsible for exposing at least 5 million Twitter accounts before it was fixed in January 2022, a poster on a well-known cybercrime forum claimed to have scraped the email addresses and phone numbers of 400 million Twitter users in late December. It is claimed that the allegedly cleaned-up dataset of 400 million Twitter users was sold later on and contained the email addresses connected to more than 235 million Twitter accounts. Researchers issued a warning that pseudonymous accounts could be doxed using the email addresses, which contained the information of politicians, journalists, and other public figures.
What’s left of Twitter, or the company, addressed the issue last week.
Twitter claimed in an unattributed blog post that it had done a “thorough investigation” and had discovered “no evidence” that the data being sold online had been obtained by abusing a flaw in Twitter’s systems. However, the lack of proof does not mean that there was no wrongdoing, as it is not clear whether Twitter has the technical tools, such as logs, to determine whether any user data was exfiltrated. Instead, the business asserted that hackers had most likely been disseminating a set of information stolen from earlier hacks, and that none of the information correlated with information obtained by means of exploiting the bug that was fixed in January 2022.
Although Twitter’s assertions could very well be accurate, it’s difficult to trust the company. Regulators will be curious about a lot of the same things after seeing Twitter’s inconsistent response, including: Who was given the job of looking into this breach, and does Twitter have the means to do so thoroughly?
An essential lesson in conduct