Twitter Data Leak: API ‘Defect’ Exposed Information of Over 200M Users, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

Twitter faces a proposed class action that alleges a “defect” in the platform’s application programming interface (API) allowed hackers to “scrape” the personal data of hundreds of millions of users from at least June 2021 through January 2022. 

The 23-page complaint out of California alleges the user information compromised as a result of the API “defect” includes usernames, email addresses and phone numbers associated with specific Twitter accounts. The case says the leaked data, when taken together, “deanonymize[s] tens of millions of Twitter users” who wished to remain anonymous while using the platform. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The suit calls the Twitter data leak a violation of the platform’s terms of service and a 2011 settlement agreement between Twitter and the Federal Trade Commission over the embattled social media platform’s misrepresentation of how it safeguards personal information. 

“The cache of information exposed by the API exploitation includes over 200,000,000 Twitter users’ information [],” the complaint reads. “Because of the anonymized, pseudo-anonymized and confidential nature of Twitter … these Twitter users were not only misled by Twitter into thinking that they would remain publicly anonymous if they chose to do so, but that the [personally identifiable information] underpinning their accounts would also remain safely guarded by Twitter.” 

To compound matters, the lawsuit says, Twitter “seemingly buried its head in the sand” as far as the scope of the API leak and may even have taken actions “intended to conceal the true magnitude” of the data breach. Twitter’s August 2022 response to the incident, in which it claimed that no passwords were exposed, that it did not know how many users were affected and that it had “no evidence to suggest someone had taken advantage of the vulnerability,” is “extremely problematic” as it shows that the platform “refuses to acknowledge the seriousness of what has occurred,” the suit contends. 

“The [personally identifiable information] belonging to victims of the API exploitation is now being disseminated and sold on the dark web by cybercriminals who mined the information, despite Twitter’s representations and omissions to the contrary,” the filing states. 

The lawsuit looks to cover all Twitter users who had their email addresses and/or telephone numbers compromised by Twitter’s API exploitation between June 2021 and January 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.