Twitter Sued Over Data Leak, Denies Responsibility

More than 200 million users’ information was compromised in the alleged 2021-2022 incident

twitter San Francisco headquarters
Getty Images

A New York resident is suing Twitter over an alleged data leak caused by a flaw in the platform’s systems, which the company denies.

On Friday, Stephen Gerber filed a class action suit with the San Francisco federal court over the 2021-2022 hack that may have affected more than 200 million users’ private information.

According to a Bloomberg report, Gerber faults the company’s application programming interface, or API, for enabling hackers to access usernames, email addresses and phone numbers. In a Jan. 11 blog post, the company maintained that there is “no evidence” that the information being sold online was caused by an issue with Twitter’s systems.

“The data is likely a collection of data already publicly available online through different sources,” the post read.

Twitter says that in July 2022, it became aware that a “bad actor” was offering to sell information it had obtained through a “vulnerability in Twitter’s systems.”

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” the post stated. “At the time, we notified the affected users promptly and the relevant authorities.”

However, it claimed that the incident reported in Jan. 2023 was not new and that “none of the datasets analyzed [in an investigation by Twitter’s Incident Response and Privacy and Data Protection teams] contained passwords or information that could lead to passwords being compromised.”

In the case filing, Gerber says Twitter may have tried to downplay the scale of the data breach. He added that the company “to this day, has inexplicably failed to notify or contact the victims of this particular API exploitation.”

Bloomberg reported that Gerber is seeking unspecified monetary damages likely in excess of $5 million. The suit also seeks a court order requiring Twitter to employ third-party security auditors to monitor its systems and improve user security.

The case is Gerber v. Twitter Inc., 3:23-cv-00186, US District Court, Northern District of California (San Francisco).

Twitter currently does not have a press relations department available to comment on the suit.