Twitter has found no evidence that recent hacks into its platform were the result of cyber criminals exploiting vulnerabilities on its system.
The “thorough investigation” — which addressed breaches in December and January that affected 400 million and 235 million users, respectively — found the data was probably a collection of information already publicly available online through different sources, the San Francisco-based company said in a blog post on Thursday.
Twitter never directly acknowledged those hacks.
“In response to recent media reports of Twitter users' data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems,” the company said.
Twitter also said none of the data sets it analysed contained passwords or information that could lead to the former being compromised.
The breach reported earlier this month was the latest in a string of cyber security problems the microblogging platform has faced in the past year.
On January 4, a Twitter database containing about 235 million users was exposed on an online hacker forum, Israel-based cyber crime intelligence company Hudson Rock reported.
The data dump contained users' names, email addresses, screen names, number of followers and the dates of the creation of their accounts, as well as some phone numbers.
The exposure of the records is expected to lead to “a lot” of hacking and phishing attacks.
It would have been ranked among the top 15 biggest data breaches had it been included in the rankings of cyber security company UpGuard.
However, it will not exceed a breach that Twitter suffered in 2018, which stemmed from a password bug that exposed the accounts of about 330 million users.
That leak was also reported to have been caused by the same group that posted an advertisement on the same online forum selling the information of about 400 million Twitter users in early December.
These included handles, usernames, emails and phone numbers, with asking prices of up to $200,000.
Hudson Rock did not name the online forum that hosted the January data dump. However, it has been reported that the forum that hosted the December advertisement was a site called Breached, which has been known to regularly post and sell stolen data.
Further back, a similar breach emerged in November, in which the data of about 5.4 million users were posted online in August. The threat actor was reported to have been selling the data for up to $30,000.
The 5.4 million user accounts reported in November “were found to be the same as those exposed”, previously Twitter said. The company in August issued a patch to address the issue.
In all cases, the possibility of Twitter users' data having been shared privately has not been discounted.
Chief executive Elon Musk, who acquired the platform for $44 billion last year, has not commented on the results of the investigation, which was conducted by the company's incident response and privacy and data protection teams.
Twitter said that the January breach “could not be correlated with the previously reported incident, nor with any new incident”, or “any data originating from an exploitation of Twitter systems”.
The company reminded its users to enable security measures on their accounts, including two-factor authentication and hardware security keys, to protect them from unauthorised logins.
“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns,” it said.