Twitter is finally broken his silence on the first security incident of the Musk era: an alleged data breach that exposed millions of users’ contact information.
In late December, a poster on a popular cybercrime forum claimed to have had the email addresses and phone numbers of 400 million Twitter users wiped out through a zero-day security flaw in Twitter’s systems, which was previously accused of exposing at least 5 million Twitter accounts before it was resolved in January 2022. The subsequent sale of another, smaller dataset containing the email addresses associated with more than 235 million Twitter accounts would be a sanitized version of the purported 400 million dataset Twitter users. Investigators warned that the email addresses, which contain the details of politicians, journalists and public figures, could be used to dox pseudonymous accounts.
Twitter, or what’s left of the company, addressed the situation last week.
In a unattributed blog post, Twitter said it had conducted a “thorough investigation” and found “no evidence” that the data sold online was obtained by exploiting a vulnerability in Twitter’s systems. A lack of evidence is no justification, however, as it is unclear whether Twitter has the technical means, such as logs, to determine whether user data has been exfiltrated. The company previously said hackers likely distributed a collection of data that came from previous breaches and said the data did not correlate with data obtained by exploiting the bug that was fixed in January 2022.
What Twitter says may very well be true, but it’s hard to trust the company’s statement. Twitter’s erratic response raises many of the same questions regulators will want to know: Who was tasked with investigating this breach, and does Twitter have the resources to do a thorough job?