Over the past three weeks, a very popular data leak forum has been busy selling and then releasing (almost for free) a database of more than 200 million Twitter users. For each entry in the file is the name, username or email address linked to an account, in addition to other public information. Although this database still consists of relatively low-value data, it is nevertheless interesting because of its enormous amount.
The social network and its leader Elon Musk -usually very talkative- avoided commenting on these events… until yesterday. The User Privacy Team said in a statement that after reviewing the published database, they found ” there is no evidence that the data sold online was obtained through a flaw in Twitter’s systems. »
A dubious assumption to avoid fines
Twitter suggests that the individuals behind the file leak may have simply been performing data enrichment, a practice that involves cross-referencing different databases. Actually, they would have collected public data from Twitter like usernames, display names or account creation dates, but then they just cross-checked them with other data sets to correlate addresses theirs. E-mail. In this hypothesis, the social network rejects any responsibility for the leakage of personal data, which will expose it to fines in certain laws, and especially in Europe with the RGPD.
However, Alon Gal, a respected data breach analyst at Hudson Rock, cast doubt on Twitter’s theory on his LinkedIn account. For him, the authenticity of the leak can be seen by the absence of false positives in the file account/email associations, which is common in cases of simple enrichment. Other analysts corroborate these claims, but it remains difficult to determine with certainty the source of the data.
The social network also correctly points out that the database does not contain any password or other data that would make it possible to become one, which greatly reduces its risk for the integrity of Twitter accounts.
The hypothesis of using a flaw is not excluded
The individuals behind the leaked file claimed that it exploited a vulnerability in the way the API works [l’interface de connexion avec d’autres sites, ndlr] of Twitter, at the end of 2021. In August 2022, the social network – which was not yet under the control of Elon Musk – recognized the existence of this bug, which was rebuilt by an ethical hacker in January and fixed immediately.
When an API user submits an email address, the API returns the associated account – which it shouldn’t have done. All you have to do is repeat the operation with email lists, of which there are hundreds circulating on unscrupulous forums to build a database. In other words, Twitter did not leak personal data (email address) but allowed it to be linked to an account. Fortunately, this association is not enough to connect to the accounts, because you need the password as well as the double authentication code if it is activated. On the other hand, it allows malicious individuals to target accounts of interest (personalities, companies, etc.) using phishing [messages piégeux, ndlr] personalized, hoping to steal this information from them.
This summer, Twitter confirmed the link between this bug and the publication of a database of 5.4 million users during the summer. But the new administration says the 200 million user base cannot be attributed to it. ” We were unable to link the new data to the previous incident “, states the social network in its press release.
Twitter in the sights of regulators
However, Twitter did not directly contact users affected by this summer’s leak, nor did it intend to notify those affected by the recent leak. The American regulator – the Federal Trade Commission– and the data authority of Ireland – where Twitter’s European headquarters are located – have both opened investigations into the incidents, and in general into the security of the social network. Following the hiring of Elon Musk at the end of October, at least three executives in charge of security and data integrity at Twitter resigned, without being replaced.
As a reminder, Meta, Facebook’s parent company, was fined 275 million euros in Europe for violating the GDPR, following the publication of a similar database (with phone numbers instead of email addresses) in 2021.