A class action lawsuit against Twitter alleges a user’s identity was revealed due to the data leak. The plaintiff says Elon Musk’s company violated its promise to protect user information.
“[...] from June 2021 through January 2022, a defect in Twitter’s application programming interface (“API”) allowed cybercriminals to exploit this defect and “scrape” data from Twitter, “reads the lawsuit.
The API bug led to a major data leak in December 2022, when threat actors posted an ad on a well-known hacker forum, claiming they were selling the data of over 400 million Twitter users.
The dataset includes Twitter handles, usernames, email addresses, and phone numbers. A week later, threat actors publicly disclosed 63GB of data, connecting over 200 million Twitter users with their names and email addresses.
However, Twitter denied the data was obtained by exploiting a vulnerability of Twitter systems and said the data was likely a “collection of data already publicly available online through different sources.”
Meanwhile, the lawsuit claims the plaintiff, Stephen Gerber, used an anonymous Twitter username that was compromised in the recent incident when his non-anonymous email address was linked with his Twitter handle.
Interestingly, Twitter has already come under scrutiny by Ireland’s Data Protection Commission (DPC) over the API flaw that ended up losing the data of 5.4m users last July.
The lawsuit points out that in August 2022, Twitter said they fixed the API flaw that led to the July leak and found “no evidence to suggest someone had taken advantage of the vulnerability.”
The lawsuit seeks monetary damages and requires the court to order Musk’s company to better its security practices, employing independent third-party auditors, penetration testers as well as internal security personnel, that would enable the company to prevent similar leaks in the future.
However, as Musk took over the company, the number of Twitter employees was reduced by half, with more layoffs reportedly on the way. Security researchers fear that mass layoffs contribute to increased risks for cybersecurity in many tech companies.
More from Cybernews:
Subscribe to our newsletter