For three weeks, a very popular data leak forum has been agitated with the sale then the (almost free) publication ofa database of over 200 million users from Twitter. Each entry in the file contains the name, username, or email address associated with an account, as well as other public information. While this database still consists of relatively low-value data, it is still interesting due to its gigantic volume.
The social network and its leader Elon Musk -usually very talkative- have refrained from commenting on these events… until yesterday. The User Privacy Team said in a statement that after analyzing the published database, they found ” no evidence that the data sold online was obtained through a flaw in Twitter’s systems. »
A dubious hypothesis to avoid fines
Twitter suggests that the people behind the file release may have only been doing data enrichment, a practice that involves cross-referencing different databases. Concretely, they would have collected public data from Twitter such as usernames, display names or account creation dates, but then simply cross-referenced it with other datasets to associate them with email addresses. With this hypothesis, the social network declines any responsibility for the leakage of personal data, which would expose it to fines in different legislations, and in particular in Europe with the RGPD.
However, Alon Gal, a reputable data leak analyst at Hudson Rock, questions Twitter’s theory of his LinkedIn account. For him, the authenticity of the leak is evident from the absence of false positives in the file’s account/email associations, which are common in cases of simple enrichment. Other analysts confirm these observations, but it remains difficult to identify the origin of the data with certainty.
The social network also rightly points out that the database does not contain any passwords or other data that would make it possible to become one, which drastically reduces its danger to the integrity of Twitter accounts.
The hypothesis of the use of a defect is not excluded
The people behind the release of the file said they exploited a vulnerability in the way the API works [l’interface de connexion avec d’autres sites, ndlr] of Twitter, at the end of 2021. In August 2022, the social network – which was not yet under the control of Elon Musk – had recognized the existence of this bug, reassembled by an ethical hacker in January and corrected immediately.
When an API user submitted an email address, the API returned the associated account, which it shouldn’t have done. It was enough to repeat the operation using the mailing lists, of which hundreds circulate on unscrupulous forums to build a database. In other words, Twitter did not leak personal data (email address) but allowed to associate them with an account. Fortunately, this association is not sufficient to connect to the accounts, since the password is needed as well as the double authentication code if activated. On the other hand, it allows malicious individuals to target accounts of interest (personalities, companies, etc.) with phishing [messages piégeux, ndlr] personalized, hoping to steal this information from them.
This summer Twitter had confirmed the link between this bug and the publication of a database of 5.4 million users during the summer. But the new administration says the 200 million user base would not be tied to it. ” We have not been able to correlate the new data with that of the previous incident “, Indicates the social network in its press release.
Twitter in the sights of regulators
However, Twitter has not communicated directly with users affected by this summer’s leak, nor does it intend to notify those affected by the recent leak. The American regulator –the Federal Trade Commission– And the Irish Data Authority – where Twitter’s European headquarters are located – have both opened investigations into the incidents, and more generally into the security of the social network. Following the Elon Musk takeover in late October, no less than three executives responsible for Twitter’s security and data integrity have resigned, without being replaced.
As a reminder, Facebook’s parent company Meta was fined €275 million in Europe for violating the GDPR, following the publication of a similar database (with phone numbers instead of email addresses) in 2021 .