Twitter has denied that emails alleged to be linked to millions of its users' accounts were obtained using a hack.

In its first statement on the matter, it wrote "there is no evidence" the data came from a flaw in its systems.

The records were instead probably a collection of data "already publicly available online", although it urged users to be wary of bogus emails.

The firm which raised the alarm about the alleged leaks, Hudson Rock, said it disputed Twitter's findings.

Alon Gal, the cyber-crime intelligence company's co-founder, said: "I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter's conclusion of the data being an enrichment of some sort which did not originate from their own servers."
Bug bounties

In December, Ireland's Data Protection Commission (DPC) Twitter's lead regulator in the EU, announced it was investigating a leak of data linked to 5.4 million accounts.

Twitter says it matched data revealed by a security flaw caused by a system update in June 2021.

The flaw meant, Twitter says, that if someone obtained an email address or phone number, the faulty system could be used to identify any Twitter accounts that were connected to them.

Twitter says it investigated and fixed the fault when it was warned about it in January 2022 through a "bug bounty" scheme that rewards researchers who alert it to security problems.
Hacker forum extortion

In December, Hudson Rock reported that a hacker called Ryushi was attempting to extort Twitter using the threat of an even bigger leak.

Ryushi claimed to have a trove of leaked emails and phone numbers associated with over 400 million user accounts, and offered to "sell" them exclusively to Twitter.

The flaw in Twitter's system was how Ryushi claimed to have obtained the data.

Following reports of the threatened extortion, the DPC said it would "examine Twitter's compliance with data protection law in relation to that security issue

BBC News