12 January 2023

Twitter says there is ‘no evidence’ data leak came from exploiting its systems

12 January 2023

Twitter says a list of usernames and passwords posted online by hackers was not obtained by exploiting vulnerabilities in the social media site’s security systems.

The company said it has carried out an investigation following reports earlier this month that a database had been posted online showing account details for more than 200 million Twitter users.

According to reports from security researchers and others, the usernames and email addresses in the leak were compiled from several other, earlier Twitter breaches dating back to a bug in Twitter’s systems created in 2021 and fixed in early 2022.

The bug meant that anyone who submitted an email address or phone number to Twitter’s systems would be told what account those details were linked to if any – a flaw that Twitter confirmed last summer had been exploited by hackers.

The data is likely a collection of data already publicly available online through different sources

However, Twitter says its investigation into this latest dataset found that the information in the database “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems”.

“Therefore, based on information and intel analysed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said.

“The data is likely a collection of data already publicly available online through different sources.”

Twitter joined cybersecurity experts in urging users to protect their accounts by ensuring they use a strong password and two-factor authentication to prevent unauthorised log-ins.

“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns.

“Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.”

In recent weeks, two Cabinet ministers have had their Twitter accounts hacked.

The latest incident comes as the social media giant continues to face questions over its general security and its wider future under the leadership of Elon Musk, who completed his takeover of the platform in October.

Although the bug linked to these data leaks occurred well before Mr Musk’s takeover, many experts have raised concerns about the number of staff now leaving Twitter and whether the platform is able to remain as secure with substantially reduced staff in place.

Culture Secretary Michelle Donelan has said “the jury is out” on Mr Musk’s leadership, which has also seen Twitter allow banned accounts, including that of Donald Trump, return to the site, and loosen content moderation rules.

“Let’s see for the moment,” she told The News Agents podcast.

“But it’s not heading in the right direction. But he’s having a limited impact. So, let’s see.”

Late last year, Mr Musk pledged to stand aside as Twitter chief executive after users voted in an online poll for him to stand down.

However, the billionaire has not given any timeframe on that move, only saying he would hand over the day-to-day running of the site once he finds someone “foolish enough” to take on the role.

The best videos delivered daily

Watch the stories that matter, right from your inbox