Over the past three weeks, a hugely popular data leak forum has been selling and then releasing (almost for free) a database of over 200 million Twitter users. For each entry in the file, the name, username, or email address associated with the account is displayed, in addition to other public information. Although this database still contains relatively low-value data, it is interesting due to its enormous size.
The social network and its leader Elon Musk – who usually talks a lot – refrained from commenting on these events… until yesterday. The User Privacy Group said in a statement that after analyzing the published database, they “ There is no evidence that the data sold online was obtained as a result of a flaw in Twitter’s systems. »
A dubious assumption to avoid fines
Twitter suggests that those behind the file release may only be engaged in data enrichment, a practice that includes cross-referencing various databases. Specifically, they would collect public data from Twitter, such as usernames, display names, or account creation dates, but then simply cross-check it with other data sets to associate addresses with them.Email. With this assumption, the social network denies any responsibility for the leakage of personal data, which would subject it to fines under several legislations, especially in Europe, together with the RGPD.
However, Alon Gal, a prominent data breach analyst at Hudson Rock, cast doubt on Twitter’s theory on his LinkedIn account. For him, the authenticity of the leak is evident by the absence of false positives that are common in cases of simple enrichment of the file’s account/email associations. Other analysts confirm these views, but it is difficult to determine the exact origin of the data.
The social network also rightly points out that the database does not contain passwords or passwords or other information that allows the absence of passwords, which dramatically reduces the threat to the integrity of its Twitter accounts.
The assumption of using the defect is not excluded
The people behind the release of the file claimed that it exploited a vulnerability in the way the API works. [l’interface de connexion avec d’autres sites, ndlr] of Twitter, at the end of 2021. In August 2022, the social network, which was not yet under the control of Elon Musk, recognized the existence of this bug, which was reassembled by an ethical hacker in January and immediately fixed.
When the API user provided an email address, the API returned the associated account – which it shouldn’t have. All you had to do was repeat the process using the hundreds of email lists floating around on rogue forums to create a database. In other words, Twitter did not leak personal information (email address), but allowed it to be associated with the account. Fortunately, this association is not enough to connect to accounts, as activation requires a password and a two-factor authentication code. On the other hand, it allows malicious actors to target accounts of interest (individuals, companies, etc.) with phishing. [messages piégeux, ndlr] This information is personalized with the hope of stealing it from them.
This summer, Twitter confirmed a link between the bug and the summer release of its database of 5.4 million users. But the new administration says the 200 million user base won’t be tied to it. ” We could not relate the new data to the previous event “, the social network shows in its press release.
Twitter is in the sights of regulators
However, Twitter has not directly contacted users affected by the leak this summer and does not intend to notify those affected by the latest leak. American Regulator – Federal Trade Commission— and the Irish news agency, home to Twitter’s European headquarters, has opened investigations into both the incidents and the social network’s security more broadly. At least three Twitter executives responsible for security and data integrity have resigned without replacement since Elon Musk took over in late October.
Recall that Meta, the parent company of Facebook, was fined 275 million euros in Europe for violating the GDPR in 2021 after publishing a similar database (with phone numbers instead of email addresses).