Twitter says reports of hundreds of leaked email addresses are unrelated to a 2021 breach.
Earlier this month, hackers shared a database with the usernames and email addresses of 200 million Twitter users, claiming the information came from breaches dating back to 2021.
“We conducted a thorough investigation, and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems,” the company stated in a blog post.
Twitter says the data likely came together from public information that’s already available and “could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.”
Twitter updated its code in June 2021, resulting in a bug that would tell people what Twitter accounts were associated with specific email addresses and phone numbers. Twitter learned of the vulnerability in January 2022. While the bug impacted 5.4 million accounts in August 2022, no recent breaches of Twitter’s systems occurred.
Several cybersecurity analysts examined the breach, as The Verge reports, including Troy Hunt, the founder of Have I Been Pwned. The website allows people to search if their email addresses are part of data breaches.
Have I Been Pwned has now added the database to its website, and users can enter their emails to check if it’s part of the breach.
Even if the information on the 200 million accounts isn’t tied to a breach or includes any passwords, it is a cause for concern.
Twitter is asking its users to enable 2-factor authentication and remain observant of any emails. “Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.”