Euro Security Watch with Mathew J. Schwartz

Twitter: Latest Dump Has 'Already Publicly Available' Data

Reports 'No Evidence' Twitter Flaw Exploited to Amass Latest Leaked Data on Users
Twitter: Latest Dump Has 'Already Publicly Available' Data

Twitter says a recent collection of purported user data being sold and then leaked via cybercrime markets was not amassed by exploiting a vulnerability in its systems.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

"In response to recent media reports of Twitter users' data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems," Twitter reports in a Wednesday update.

"The data is likely a collection of data already publicly available online through different sources," it adds.

Some security experts, however, aren't so sure.

Last week, Alon Gal, CTO at Israeli cybercrime intelligence firm Hudson Rock, reported that the data looks as if it leaked from a Twitter database. He also described the collection of data as being "one of the most significant leaks I've seen" and said it leaves Twitter users at elevated risk from "hacking, targeted phishing and doxxing."

Gal says he stands by his analysis. "Having discussed it with other security professionals and conducting my own research around it, I believe that my previous assessment is still valid," Gal says in a Wednesday LinkedIn post.

"For example, the authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments," he says.

Enriching data means taking an existing set of data - perhaps compiled from other breaches - and then attempting to add additional fields connected to the same individual. Hence someone might possess people's real names and email addresses and use illicit tactics to enrich the record with the individuals' phone numbers, Twitter account names or even passwords for various services. Gal says this approach is known to introduce a notable number of false positives.

Analysis of Breaches - Alleged or Otherwise

Twitter's update, including its caveat about "data recently being sold," requires unpacking, given the spate of real or alleged data breaches the service has suffered over the past two years.

Likewise, Twitter's attempt to clarify what did and didn't get stolen from its systems comes as widespread concern continues, since Musk's acquisition, over the stability of its systems and whether it is devoting sufficient resources to protect users and their data (see: Will Twitter Sink or Swim Under Elon Musk's Direction?).

To be clear, a vulnerability that which Twitter has confirmed that attackers previously exploited to steal data existed - and was fixed - before Musk began his divisive tenure as CEO.

In July 2022, Twitter said it learned that someone had exploited an API-accessible feature called "let others find you by your phone" that it had offered from June 2021 until January 2022, when it received a bug report highlighting how the functionality could be abused and deactivated it.

Before then, "if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," it said.

While Twitter reported there was no evidence the feature had been abused by attackers while it was active, the functionality was indeed abused - although Twitter failed to spot it at the time. But after criminals began offering stolen data on 5.4 million users for sale in July 2022, Twitter then identified the "let others find you" feature as being the culprit. "After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed," it said.

This data included Twitter users' usernames, display names, bios, locations, email addresses and phone numbers.

Who Else Abused the Feature?

One question remains: How many other criminals abused the feature to compile user data, which Twitter also failed to spot when it was happening?

In November 2022, someone dumped a database containing stolen data on 5.4 million Twitter users. Twitter says this data set is a match with the data was being offered for sale last July.

In December 2022, someone claimed to be selling data on 200 million Twitter users that had allegedly been scraped "via a vulnerability" at Twitter. Of course, vendors of stolen data have been known to lie, especially if it helps hype their wares.

In its new update, Twitter says the user data contained in this collection of 400 million records "could not be correlated with the previously reported incident, nor with any new incident." The data collection contains Twitter users' names, usernames, email addresses and follower counts.

Ditto for the sale and then leak this month of 200 million alleged Twitter user details. "Both data sets were the same, though the second one had the duplicated entries removed," Twitter says, confirming what multiple security experts have also observed (see: Expect Hacking, Phishing After Leak of 200M Twitter Records).

Keep Using TFA, Twitter Recommends

Twitter warns that regardless of whether attackers recently exploited a new flaw - again, it says they did not - user information of use to criminals is now in wide circulation.

Accordingly, Twitter recommends users "remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns."

Twitter also recommends all users employ two-factor authentication to protect their accounts and make them hard to hijack. But anecdotally, many users deactivated TFA for the service after Elon Musk bought the company for $44 million. In response to the widespread cuts - of both personnel and systems - that Musk began to make, some former Twitter employees cautioned that system stability seemed likely to suffer and recommended users deactivate TFA as a precautionary measure.

Sure enough, not long after, there were reports of TFA glitches, although not for users who had tied it to an authenticator app on their phone or a physical security key. But some users who had opted to receive a text message with a one-time code began reporting that they were not getting these SMS messages.

Twitter, however, reported that there were no widespread TFA outages. "We're looking into the few cases where SMS codes aren't being delivered," it said.

Such assurances are welcome. But as Musk-era Twitter strives to remain relevant following many users reporting that they've given up, arguably the company's "hearts and minds" campaign - not least on the security front - needs much more work.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.