X (Twitter) Privacy News

A federal judge declined to immediately approve a $1.5 million settlement between Elon Musk and the SEC over allegations he delayed disclosing his 5% stake in Twitter by 11 days in 2022, potentially saving $150 million. Judge Sparkle Sooknanan ordered both parties to appear in court and provide briefs justifying the settlement's fairness and whether it serves the public interest. The SEC lawsuit, filed days before the Biden administration ended, accused Musk of violating disclosure rules duri...

Elon Musk settled an SEC lawsuit by agreeing to pay a $1.5 million fine through a trust for failing to timely disclose his purchase of over 5% of Twitter stock in 2022, which the SEC alleged allowed him to buy shares at artificially low prices and save approximately $150 million. Under the settlement, Musk does not admit wrongdoing and is not required to return the $150 million he allegedly saved at the expense of other investors who sold shares during the delayed disclosure period. Critics, ...

Elon Musk is suing OpenAI and CEO Sam Altman in federal court, alleging the company breached its original nonprofit mission to benefit humanity by transitioning to a for-profit structure and keeping AI technology proprietary instead of open source. Musk, who co-founded OpenAI in 2015 and donated approximately $38 million before leaving in 2018, claims he was deceived about the company's intentions and that his contributions were misused. The trial's outcome could significantly impact OpenAI's...

Elon Musk wants any damages from his OpenAI lawsuit given to the AI company's nonprofit arm

Elon Musk's X advertising boycott lawsuit dismissed by US judge

Elon Musk's xAI sued for turning three girls' real photos into AI CSAM

The Irish Data Protection Commission opened a formal GDPR inquiry into X's processing of personal data in connection with Grok's generation of deepfake images of real individuals. The inquiry examined whether X had a lawful basis for processing biometric and personal data to create AI-generated images, with particular focus on the impact on children and public figures.

Data Protection Commission opens investigation into X over GDPR compliance

French prosecutors raided X's Paris offices as part of a criminal investigation into the platform's failure to cooperate with authorities on content moderation and user data requests. The investigation focused on X's alleged non-compliance with French laws regarding the protection of minors and illegal content removal obligations.

California Attorney General Rob Bonta issued a cease-and-desist letter to xAI over Grok's generation of deepfake images and child sexual abuse material (CSAM). The letter cited violations of California law and demanded that xAI implement safeguards to prevent the generation of non-consensual intimate imagery and CSAM within 30 days.

X updated its Terms of Service to define all user interactions with Grok AI - including prompts, conversations, and feedback - as user 'Content' that X may use to train and improve its AI models. The change granted X a broad, royalty-free license to use Grok interactions without additional user consent beyond accepting the terms.

The European Commission fined X €120 million under the Digital Services Act (DSA) for operating a deceptive 'blue checkmark' verification system that allowed anyone to purchase a verified badge without meaningful identity verification. The Commission found this misled users about account authenticity and undermined trust in the platform's information integrity.

X updated its privacy policy to explicitly allow sharing user data with 'third- party collaborators' for AI training purposes, extending beyond xAI/Grok to permit licensing user data to outside companies for training their generative AI models. Users who did not opt out would have their posts and interactions available for this purpose. The availability and clarity of opt-out mechanisms remained uncertain.

X enabled a default opt-in that automatically shared users' public posts with xAI for Grok training, without prominent notice. The opt-out was buried deep in settings. EU users were included under a 'legitimate interest' basis. The Irish DPC took X to Ireland's High Court, securing an emergency order. X agreed to permanently suspend processing EU/EEA user data for Grok training, though was not required to delete models already trained on that data.

Following the rebrand from Twitter to X, the privacy policy was substantially rewritten. New provisions allowed X to collect biometric data (faceprint and voiceprint) for 'safety, security, and identification purposes', plus employment and education history. The policy explicitly stated that publicly available information would be used to train machine learning and AI models - laying the groundwork for the Grok AI chatbot. These changes were made without individual user consent.

A database containing email addresses, names, and usernames of over 200 million Twitter users was published on BreachForums. The data was scraped using an API vulnerability introduced in June 2021 that allowed anyone to look up accounts by phone number or email. An earlier dataset of 5.4 million records had been sold for $30,000 in July 2022. The mass exposure posed major phishing and deanonymization risks for activists, journalists, and dissidents. Twitter did not issue a public disclosure.

The FTC fined Twitter $150 million for using phone numbers and email addresses collected for two-factor authentication to target users with advertising instead. From 2014 - 2019, over 140 million users were told their contact information was being collected for security purposes while it was simultaneously fed into Twitter's ad targeting system. This violated Twitter's 2011 FTC consent order. The new settlement required a comprehensive privacy program subject to independent auditing.

The Irish DPC fined Twitter €450,000 for failing to notify the regulator of a data breach within the 72-hour window required by GDPR and failing to adequately document the breach. A bug in Twitter's Android app had caused protected tweets from private accounts to become publicly visible. This was the first major GDPR enforcement decision against a big tech company to go through the EU's Article 65 dispute resolution process.

A 17-year-old hacker and accomplices used phone spear-phishing attacks against Twitter employees to gain access to internal admin tools, then hijacked high-profile accounts (Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Apple, Uber) to promote a Bitcoin scam that netted over $118,000. The breach exposed severe internal access control weaknesses and raised questions about how many employees had god- mode access to user accounts.

Twitter admitted that phone numbers and email addresses provided by users for two-factor authentication had been inadvertently used for advertising targeting since 2014. The company said it had matched security contact information to advertiser audience lists through its Tailored Audiences system, affecting an estimated 140 million users. This practice later formed the basis of the FTC's $150 million fine in 2022.

Twitter disclosed that a bug in its iOS app had shared some users' precise location data with an unnamed advertising partner. The data was collected even from users who had enabled location sharing only for features like tweet geotags. Twitter said the bug had been fixed and the partner had been asked to delete the data.

Twitter updated its privacy policy globally in response to the EU's General Data Protection Regulation (GDPR) taking effect. The revised policy expanded disclosures about data collection practices, third- party data sharing, and international data transfers. Twitter also introduced new privacy controls and a downloadable data archive for all users.

Twitter disclosed that a bug had caused all 336 million users' passwords to be written in plaintext to an internal log before being hashed. The passwords were stored in readable form on internal systems and could have been accessed by employees. Twitter urged all users to change their passwords and said it had fixed the bug and found no evidence of misuse.

Twitter quietly abandoned its support for Do Not Track, ceasing to honor the browser signal it had championed since 2012. Simultaneously, Twitter expanded its data retention window for ad impressions from 10 days to 30 days, enabling more extensive user profiling for advertising purposes.

The Syrian Electronic Army hacked the Associated Press's verified Twitter account and posted a fake tweet claiming two explosions at the White House had injured President Obama. The tweet briefly crashed the S&P 500 index, wiping approximately $136 billion in market value before it was identified as a hoax within minutes.

Twitter disclosed that approximately 250,000 user accounts were compromised in a sophisticated attack that accessed usernames, email addresses, session tokens, and encrypted/salted passwords. Twitter reset the passwords of all affected accounts and warned the incident was not the work of amateurs.

Twitter became the first major social media platform to support the Do Not Track (DNT) browser header, honoring users' privacy preferences by not collecting browsing data from third-party sites for ad targeting. The move was praised by privacy advocates and the FTC as a model for the industry.

The FTC finalized a consent decree barring Twitter for 20 years from misleading consumers about the security of their personal information. Twitter was required to implement a comprehensive information security program subject to independent audits every two years. The order stemmed from the 2009 breaches that exposed administrative controls over all user accounts.

A second breach occurred when a hacker compromised a Twitter employee's personal email account, which used the same or similar password as their Twitter admin credentials. The attacker accessed internal company documents and employee accounts. This incident, combined with the January breach, became central evidence in the FTC's 2011 case.

A hacker used a dictionary-based password-guessing tool against Twitter's admin panel and gained control of approximately nine high-profile accounts, including President-elect Barack Obama's. The attacker posted unauthorized messages and accessed private DMs. Twitter had no rate-limiting or lockout protections on the admin interface.