Twitter's mushrooming data breach crisis could prove costly

Since Elon Musk purchased Twitter in late October, non-stop turmoil and controversy have dogged the company, from massive staff firings and resignations to reputational damage from Musk's careless and often bizarre tweets. 

Now, mushrooming concern around a possible data breach stemming from a now-fixed Twitter flaw is poised to drive the company further down unless Twitter takes quick action.

Even as regulators in Europe begin to probe what appears to be a massive Twitter data breach, Twitter and Elon Musk have failed to comment publicly on the true extent of the breach. 

Experts say that unless Twitter gets ahead of the curve, informs regulators of the facts, and notifies users of how much of their public and private information has been exposed, the company could suffer serious financial and operating consequences.

Timeline of Twitter breach events

In keeping with the nature of dark web data merchants, the picture surrounding Twitter's data breach is murky. 

This latest headache for the company began in July when an actor known as "devil" put up for sale on a breached data forum a database of phone numbers and email addresses belonging to 5.4 million Twitter accounts.

Devil demanded payment of US$30,000 for the data and claimed to have swiped it via a vulnerability disclosed to Twitter on January 1, 2022. Twitter fixed the flaw on January 13, 2022.

The vulnerability affected Android users and allowed anyone without authentication to obtain a Twitter ID for any user by submitting a phone number or email handle, even if the user prohibited this action in the privacy setting. 

About a month after devil's posting, Twitter confirmed that a bad actor had taken advantage of the vulnerability and said it would send out notices to account owners affected by the breach.

The data containing the 5.4 million users' data was released for free on November 27, 2022. However, another database allegedly containing details on 17 million users was also circulating privately in November.

Then, in late December, Alon Gal, the co-founder and CTO of Israeli cyber crime intelligence company Hudson Rock spotted on a criminal data breach forum a posting by a user called "Ryushi" offering to sell the emails and phone numbers of 400 million Twitter users.

After another threat actor released a massive database related to 235 million Twitter users for free, Gal said that the initial figure of 400 million users included duplicates. However, the breach was still one of the "most significant" he'd ever seen.

Gal said that two different threat actors corroborated the 235 million figure. He also said the database likely contains the email addresses and public information of Twitter users but not their phone numbers, although a database of phone numbers of an unknown number of Twitter users likely exists.

Troy Hunt, who runs the data breach reporting site HaveIBeenPwned, says he found 211.5 million unique email addresses in the leaked database. Possibly yet another threat actor released a data set consisting of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum's currency, worth approximately $2.

Hackers breach the Twitter accounts of celebrities and media figures

During the year-end holidays and shortly after the New Year, the Twitter accounts of high-profile celebrities in the UK, India, and Australia were hacked.

Among the hacked profiles were TV commentator Piers Morgan, UK education secretary Gillian Keegan, Northern Ireland secretary Chris Heaton-Harris, singer Ed Sheeran, and Indian TV star Salman Khan.

Although it's possible these hacks were unrelated to the sample files released by Ryushi, Gal thinks they're connected. "This is likely not a coincidence: The reveal of the email address may have been just what the hacker needed to find passwords for the account, or social engineer his way," Gal said in a tweet.

Experts say Twitter should come clean

As conflicting reports about the Twitter breach continue to mount, cyber security experts call on Musk to clear up the confusion.

Gal tells CSO, "Twitter failed to acknowledge this breach, and it is a shame. They should acknowledge it as soon as possible, so users are alert to the risks they are now facing. I urge Twitter users to change passwords and be suspicious of phishing attempts and for Twitter to acknowledge this breach as soon as possible."

Douglas J. McNamara, Partner in Cohen Milstein's Consumer Protection practice, tells CSO he assumes that Twitter has "engaged and looked at some of this. But they may not be doing it publicly, and they may not want to share this publicly."

But as far as the law in the US is concerned, "it's kind of fuzzy," McNamara says, given the differences in state laws surrounding breach notifications.

"You would have to see who is in there, what PII [personally identifiable information] is in there. Is it the kind of PII that would trigger a reporting requirement (under typical risk of harm analysis required by state data breach notification laws]?”

Moreover, at this point, "It really isn't clear if this was a couple of different breaches, or if this was somebody using scripts to pull this information and add it to what was out there by mixing and matching or if somebody bought different things on the dark web and put them together. It's just not clear," McNamara says. "To say this is squishy is an understatement."

But he says from a good corporate governance perspective, Twitter would be in a better position if it came clean. 

"If I cared about my customers, the first thing I would do is check to see if it was legit or not and then assuage their concerns.

"It does not matter if the data breach preceded Musk's tenure as Twitter owner, he still must deal with the breach responsibly. "He bought the company. He bought the liability," says McNamara.

EU regulators use broader definitions

Even if Twitter were to take comfort in the currently squishy nature of the data breach under US state laws, European regulations might be able to inflict the most damage on Twitter.

European authorities have a wider range of factors to analyse in determining whether and the degree to which Twitter faces liability related to the breach.

On 23 December 2022, even before news hit that potentially hundreds of millions of Twitter users' data might have been breached, the Irish Data Protection Commission (DPC) launched a probe into the initial incident involving 5.4 million Twitter users.

The DPC said Twitter had furnished several responses to its queries and believes the company may have violated one or more of the EU's General Data Protection Regulation (GDPR) provisions.

Amy Worley, managing director and associate general counsel at Berkeley Research, tells CSO that "The GDPR has very strict data breach reporting requirements. It also has a very broad definition of what is a data breach. So, it's much broader than what exists under most of the US statutes."

Worley says that "the GDPR is not limited to economic harms the way US laws have been interpreted. So, privacy is a fundamental right in the EU, and it is tied to the rights and freedoms of data subjects."

Under the GDPR, companies have 72 hours to report a data breach and must report significant changes in their assessments of how many users have been affected.

"If they think a company is just ignoring or flouting the law, then the company is likely to get into trouble for that," Worley says.

Fines under the GDPR can reach up to 4 per cent of the company's global revenue, although that fine level is rare. Perhaps what should be even more concerning to Twitter is that the European Union could force Twitter to effectively shut down operations in Europe if evidence of an egregious violation emerges.

"The European Union can also revoke their ability to process European resident data," says Worley. "They also have the ability to stop international internet data transfers. And they have the ability to say, 'You're not permitted to process the personal data of European residents.'"

Her advice to Twitter or any organisation in similar circumstances is: "Understand what happened as quickly as possible. Then really be mindful of that analysis. Is this reasonably likely to impact the rights and freedoms of the data subject? Understand the fulsome way that the EU interprets that. It is not just economic harm."