A data leak of private information from 400 million Twitter profiles, later repackaged on the dark web as a collection of 200 million files with duplicates eliminated, has been in the news as of late as hackers have offered this seeming trove of information for just $2. However, it appears that bargain price may be due to the information coming from other sources that were already available to the public.
Twitter says that it sees no evidence that the information offered up by the hackers is connected to a data leak from their servers, or that a prior API scraping vulnerability was used to gather it. The social media giant contends that the hacker gathered the information from somewhere else, possibly prior data leaks, even as security researchers demonstrate that email addresses in the files can be paired with legitimate accounts.
Twitter denies massive data leak, some researchers remain skeptical
The news of the 200 million profiles being offered on the dark web was quickly followed up on by a number of independent security researchers, who confirmed that at least some of the included contact information was legitimate and could be paired with the associated Twitter username. Some skepticism thus remains even as Twitter claims that the data leak is not composed of any new stolen information.
The original theft of 400 million files was thought to have come from an API scraping vulnerability that was present for much of 2021, but was patched out by Twitter in January 2022. Twitter has confirmed that multiple attackers exploited that vulnerability while the window was open and that the full scope of theft is not known. The issue is complicated by the fact that the party offering the information for sale says that they were not responsible for obtaining it; they simply happened upon it in some unspecified way, and claim that it looked as if an unskilled hacker had dumped it in an amateur manner.
Unclear where Twitter leak came from if company’s contentions are accurate
Twitter’s statement on the data leak (or lack thereof) said only that the company had seen no evidence of a breach of its internal systems and that the prior API scraping issue was not the source of the information. It also said that user password information was not present in the leak, though that had never been asserted by any of the dark web sellers.
It’s far from unheard of for criminals to repackage information from old data leaks and present it as if it’s something new, and the very low asking price for the 200 million files does strongly support that theory. But some security researchers maintain that more attention to this is required as there are new connections between Twitter handles and associated email addresses that should not have been publicly available.
Regardless of the ultimate source of the leak, Twitter has told its users to anticipate that they may receive tailored scam and account access attempts that make use of the details found in the files. The data leak contained some profile information that is usually private such as account email addresses and phone numbers used for verification.