Twitter Inc. was sued over an alleged data leak that may have exposed the information of more than 200 million users but which the company denied was caused by a flaw in its system.
New York state resident Stephen Gerber claims his personal information was among the cache of data obtained by hackers between 2021 and 2022. He sued Friday in San Francisco federal court seeking class-action status for all those whose information was leaked.
Gerber blames a defect in Twitter’s application programming interface (API) that allowed cybercriminals to obtain usernames, emails and phone numbers of users of the social media website.
In January, an anonymous user on the hacker site BreachForums published a database that they claimed to contain basic information on hundreds of millions of Twitter users. Twitter said in a blog post that there was “no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.”
“The data is likely a collection of data already publicly available online through different sources,” the company said.
Gerber claims in the complaint that Twitter “seemingly buried its head in the sand” and says the company may have tried to hide the magnitude of the leak.
Twitter “to this day, has inexplicably failed to notify or contact the victims of this particular API exploitation,” Gerber said.
Gerber is seeking unspecified monetary damages, likely to exceed $5 million, and court orders requiring Twitter to hire third-party security auditors to test and audit its systems as well as to implement and maintain a security program designed to protect the confidentiality of the users.
Twitter, which doesn’t have a public relations department, didn’t respond to an emailed request for comment.
The case is Gerber v. Twitter Inc., 3:23-cv-00186, US District Court, Northern District of California (San Francisco).