Twitter Says That Stolen Data From Them Isn’t From Them

If you have given up on following news about Twitter, I don’t blame you, but there as been a batch of ~400 million user records being sold online and marketed as coming from breaching Twitter’s systems.

Today Twitter is saying that there was “no evidence” of that data coming from Twitter’s systems.

After a comprehensive investigation, our Incident Response and Privacy and Data Protection teams concluded that:

• 5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
• 400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
• 200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of Twitter systems.
• Both datasets were the same, though the second one had the duplicated entries removed.
• None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.

Therefore, based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.

There are two problems with this kind of statement:

1. “No evidence” doesn’t mean it didn’t happen.
2. How can anyone reasonably trust Twitter with this evaluation?

Whether you like Elon Musk or not, he’s all over the place, going down rabbit holes of conspiracy theories, and has gutted Twitter of talent, either directly or indirectly, especially in areas such as security. Even the rapidly shrinking group of people who still think Elon is a genius would have to take a deep breath and a LONG pause before believing a report like this because of the repetitional damage he has caused to Twitter and his own brand.

Trust matters a lot with these kinds of reports, and Twitter has none.