A Twitter user sued the social media company over an alleged data breach. The lawsuit says the breach was caused by a flaw in the company’s systems, which may have exposed the personal information of millions of users. Twitter denies the accusation.
Stephen Gerber, a New York resident, filed a lawsuit on Friday, January 13, in a federal court in San Francisco, claiming that his personal information was among the data collected by the hackers within seven months between July 2021 and January 2022.
The New Yorker is seeking class-action status for all Twitter users affected by the breach and asked the court to order Twitter to pay out over five million dollars in damages and require the company to hire third-party security auditors.
Gerber’s lawsuit blamed a flaw in the platform’s API (application programming interface), allowing hackers to access and obtain data from the social media platform.
According to the lawsuit, the stolen data included usernames, phone numbers, and email addresses that cybercriminals can use during phishing scams and that the information is being sold on the dark web.
In August 2022, Twitter admitted that almost five and a half million accounts had been breached when someone the company termed a “bad actor” stole users’ personal information through a vulnerability in the platform’s systems, which the company refused to specify.
According to the statement released by Twitter during their announcement of the breach, the company had swiftly notified authorities and affected users, and they had fixed the vulnerability.
Earlier this month, an anonymous person posted on BreachForums, a popular hacker site, publishing a database that he claimed allegedly contained basic information about millions of Twitter users.
In response to the claim, Twitter published a blog post on Wednesday, January 11, maintaining that there was no evidence showing that the information being sold online was obtained by hackers who exploited a vulnerability in the company’s systems.
In the blog post, Twitter said that the data is most likely a collection of publicly available data from different online sources. They said they had reviewed a sample of the available data being sold and confirmed that a hacker had taken advantage of the breach before Twitter addressed it.
Twitter claimed that the data breach reported in January was not new and that the company’s Incident Response and Privacy and Data Protection teams had analyzed the data sets said to contain private information for sale. None of them contained passwords or information that could make passwords compromised.
The statement was released two days before Gerber’s lawsuit was filed.
In the lawsuit, Gerber claimed that Twitter may have downplayed the data breach’s scale and that the company has never notified the victims of the breach.
The lawsuit reads, “Twitter seemingly buried its head in the sand regarding the magnitude of this API exploitation or, even worse, Twitter may have even taken actions intended to conceal the true magnitude of this API exploitation.”
Twitter, now owned by Elon Musk, is facing several other lawsuits. One of Twitter’s landlords in San Francisco filed a suit against the company on January 3, 2023, claiming rent arrears of about $136,000.
Imply Data Inc. and Canary Marketing also sued the company for allegedly failing to pay them for their services. Imply Inc. Data claimed that Twitter refused to honor a multi-billion contract that was supposed to end in 2024.
