Twitter has been silent on the matter for months, but finally spilled the beans over an alleged data breach that exposed the contact information of millions of users. The social media platform says it was notified in November by somebody claiming to have stolen user data from a third-party site and used it to create fake accounts. Twitter said all affected users had been notified and their account details had been redacted so they couldn’t be re-targeted inappropriately. Nevertheless, many were left feeling uneasy about just how secure their personal information really is on Twitter—especially given recent history of hacks and data breaches at
The large number of email addresses and phone numbers included in the alleged 400 million Twitter Scraping dataset could be used to dox pseudonymous accounts, researchers warned. The dataset also contained the details of politicians, journalists and public figures, raising concerns that it could be used for personal or even political gain.
Twitter’s attempts to recover from last year’s data breach have been largely unsuccessful, as the company has been forced to deactivate millions of accounts in order to combat spam and abuse. CEO Jack Dorsey recently announced that the company would be suspending new user registrations until May 1st in order to focus on improving
Twitter’s investigation found that the data sold online did not come from a vulnerability of their systems, but rather data that had been pulled from previous breaches. This suggests that hackers may have been circulating a collection of data pulled from past breaches in order to sell it off, rather than exploiting a bug to obtain user data. Because Twitter does not have the means to determine if any user data was exfiltrated, the company’s statement acknowledges that attackers may still be able to exploit vulnerabilities in their system in order to access private information of users.
Twitter’s statement that its security was not breached implies that the hackers who access Twitter user accounts were only able to view unprotected passwords. However, if a hacker gains access to an account’s entire archive of tweets, they may be able to glean much more personal information about the user – such as their birthdate and registration IP address. This raises many questions for Twitter: Who was tasked with investigating this breach? Does Twitter have the resources to do a thorough job? And most importantly, should users change their passwords everywhere they use online services?