A Twitter user has sued the troubled social media platform over an alleged data leak that exposed more than 200 million account users’ information.
In a class-action lawsuit [PDF] filed January 13 in a US district court in San Francisco, Stephen Gerber claims Twitter exposed his and “tens of millions” of other users’ personal information – specifically email addresses and phone numbers linked to accounts – between June 2021 and January 2022 because of an API flaw. Twitter said it fixed the defect last summer.
In December, however, crooks published a database containing stolen account information belonging to more than 400 million Twitter users after reportedly scraping these records by exploiting the API flaw. At the time, the miscreants listed the records for sale at $200,000.
At no point does Twitter disclose in their Privacy Policy that they allow cybercriminals to commandeer Twitter’s API in order to scrape sensitive PII from Twitter and to then weaponize or sell that information on the dark web
A month later, however, a cleaned-up version of the records, whittled down to a mere 200 million users, appeared on a breach forum for anyone to download for free.
Big Bluebird has since claimed that “there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.”
“The data is likely a collection of data already publicly available online through different sources,” wrote Elon’s plaything in a January 11 blog post.
According to the lawsuit, the massive data dump violated Twitter’s privacy policy and terms of service because it failed to protect non-public consumer information.
“At no point does Twitter disclose in their Privacy Policy that they allow cybercriminals to commandeer Twitter’s API in order to scrape sensitive PII from Twitter and to then weaponize or sell that information on the dark web,” the legal challenge states.
To make matters worse, Twitter “buried its head in the sand” about the API security flaw, or “may have even taken actions intended to conceal the true magnitude of this API exploitation,” it alleges.
Gerber is seeking monetary damages (the lawsuit doesn’t specify a dollar amount), and a court order requiring Twitter to improve its security program.
This includes hiring “third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Defendant’s systems on a periodic basis.”
Both of these are likely big asks for the embattled aviary which, under Elon Musk’s leadership, has slashed its staff numbers, lost its chief information security officer, and apparently resorted to auctioning off sculpture planters and espresso machines to cover the looming interest payment on Musk’s enormous loans.
The once-influential platform has lost more than 500 advertisers since Musk took over last year, according to The Information, which also reported a 40 percent decline in daily revenue.
Twitter, which has also axed its public relations department, unsurprisingly did not respond to The Register‘s inquiries. ®