Twitter has denied that emails alleged to be linked to millions of its users’ accounts were obtained using a hack.
In its first statement on the matter, it wrote “there is no evidence” the data came from a flaw in its systems.
The records were instead probably a collection of data “already publicly available online”, although it urged users to be wary of bogus emails.
The firm which raised the alarm about the alleged leaks, Hudson Rock, said it disputed Twitter’s findings.
Alon Gal, the cyber-crime intelligence company’s co-founder, said: “I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter’s conclusion of the data being an enrichment of some sort which did not originate from their own servers.”
Bug bounties
In December, Ireland’s Data Protection Commission (DPC) Twitter’s lead regulator in the EU, announced it was investigating a leak of data linked to 5.4 million accounts.
Twitter says it matched data revealed by a security flaw caused by a system update in June 2021.
The flaw meant, Twitter says, that if someone obtained an email address or phone number, the faulty system could be used to identify any Twitter accounts that were connected to them.
Twitter says it investigated and fixed the fault when it was warned about it in January 2022 through a “bug bounty” scheme that rewards researchers who alert it to security problems.
Hacker forum extortion
In December, Hudson Rock reported that a hacker called Ryushi was attempting to extort Twitter using the threat of an even bigger leak.
Ryushi claimed to have a trove of leaked emails and phone numbers associated with over 400 million user accounts, and offered to “sell” them exclusively to Twitter.
The flaw in Twitter’s system was how Ryushi claimed to have obtained the data.
Following reports of the threatened extortion, the DPC said it would “examine Twitter’s compliance with data protection law in relation to that security issue”.
Leaked again
Last week, a different individual leaked what they said were emails linked to 200 million user accounts, and made them available for anyone to download for a small fee.
Twitter says both datasets are the same, but with duplicated data removed in the smaller leak, and that neither came from using the flaw.
“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said.
“The data is likely a collection of data already publicly available online through different sources.”
Twitter did not say whether the email addresses are genuine or if they were correctly matched with user accounts, and, if so, how that was accomplished.
News site Bleeping Computer had earlier reported that it had checked a number of the email addresses and found they were real.
Twitter warned users to “remain extra vigilant” and said the leaked information could be used to create “very effective” bogus phishing emails.
The social media giant added that it has communicated its findings to the relevant data protection authorities.