Twitter has refuted claims that emails purportedly connected to millions of its users’ accounts were obtained through hacking.
It stated in its initial response that “there is no proof” that the data was the result of a systemic error.
Although it cautioned users to be aware of fraudulent emails, the records were likely a compilation of data that was “already freely available online.”
The company that first alerted people to the suspected breaches, Hudson Rock, claimed to disagree with Twitter’s findings.
“I urge security researchers to perform a thorough investigation of the leaked data and rule out Twitter’s conclusion that the data is an enrichment of some sort that did not originate from their own systems,” said Alon Gal, co-founder of the cybercrime intelligence firm.
Twitter’s top EU regulator, Ireland’s Data Protection Commission (DPC), revealed in December that it was looking into a data breach involving 5.4 million users.
Twitter claims to have matched data that was made public through a security hole introduced by a system update in June 2021.
According to Twitter, the issue meant that anyone who had access to an email address or phone number could use the flawed system to determine which Twitter accounts were linked to them.
The authenticity of the email addresses and whether they were appropriately matched with user accounts, and if so, how that was done, have not been made clear by Twitter.
Earlier, the news website Bleeping Computer claimed to have verified the validity of a few of the email accounts.
Twitter advised users to “be extra careful,” noting that the stolen data may be used to craft “extremely successful” phishing emails.
The dominant social media company continued by saying that it had informed the relevant data protection authorities of its findings.