X (Twitter) Privacy News

The Irish Data Protection Commission opened a formal GDPR inquiry into X's processing of personal data in connection with Grok's generation of deepfake images of real individuals. The inquiry examined whether X had a lawful basis for processing biometric and personal data to create AI-generated images, with particular focus on the impact on children and public figures.

French prosecutors raided X's Paris offices as part of a criminal investigation into the platform's failure to cooperate with authorities on content moderation and user data requests. The investigation focused on X's alleged non-compliance with French laws regarding the protection of minors and illegal content removal obligations.

California Attorney General Rob Bonta issued a cease-and-desist letter to xAI over Grok's generation of deepfake images and child sexual abuse material (CSAM). The letter cited violations of California law and demanded that xAI implement safeguards to prevent the generation of non-consensual intimate imagery and CSAM within 30 days.

X updated its Terms of Service to define all user interactions with Grok AI — including prompts, conversations, and feedback — as user 'Content' that X may use to train and improve its AI models. The change granted X a broad, royalty-free license to use Grok interactions without additional user consent beyond accepting the terms.

The European Commission fined X €120 million under the Digital Services Act (DSA) for operating a deceptive 'blue checkmark' verification system that allowed anyone to purchase a verified badge without meaningful identity verification. The Commission found this misled users about account authenticity and undermined trust in the platform's information integrity.

A massive dataset containing 2.8 billion user profile records was published online, believed to originate from a disgruntled insider or contractor. The data was cross-referenced with the 200 million email addresses leaked on BreachForums in January 2023, enabling deanonymization of pseudonymous accounts at unprecedented scale. X did not publicly acknowledge the leak.

X updated its privacy policy to explicitly allow sharing user data with 'third- party collaborators' for AI training purposes, extending beyond xAI/Grok to permit licensing user data to outside companies for training their generative AI models. Users who did not opt out would have their posts and interactions available for this purpose. The availability and clarity of opt-out mechanisms remained uncertain.

X enabled a default opt-in that automatically shared users' public posts with xAI for Grok training, without prominent notice. The opt-out was buried deep in settings. EU users were included under a 'legitimate interest' basis. The Irish DPC took X to Ireland's High Court, securing an emergency order. X agreed to permanently suspend processing EU/EEA user data for Grok training, though was not required to delete models already trained on that data.

Following the rebrand from Twitter to X, the privacy policy was substantially rewritten. New provisions allowed X to collect biometric data (faceprint and voiceprint) for 'safety, security, and identification purposes', plus employment and education history. The policy explicitly stated that publicly available information would be used to train machine learning and AI models — laying the groundwork for the Grok AI chatbot. These changes were made without individual user consent.

A database containing email addresses, names, and usernames of over 200 million Twitter users was published on BreachForums. The data was scraped using an API vulnerability introduced in June 2021 that allowed anyone to look up accounts by phone number or email. An earlier dataset of 5.4 million records had been sold for $30,000 in July 2022. The mass exposure posed major phishing and deanonymization risks for activists, journalists, and dissidents. Twitter did not issue a public disclosure.

The FTC fined Twitter $150 million for using phone numbers and email addresses collected for two-factor authentication to target users with advertising instead. From 2014–2019, over 140 million users were told their contact information was being collected for security purposes while it was simultaneously fed into Twitter's ad targeting system. This violated Twitter's 2011 FTC consent order. The new settlement required a comprehensive privacy program subject to independent auditing.

The Irish DPC fined Twitter €450,000 for failing to notify the regulator of a data breach within the 72-hour window required by GDPR and failing to adequately document the breach. A bug in Twitter's Android app had caused protected tweets from private accounts to become publicly visible. This was the first major GDPR enforcement decision against a big tech company to go through the EU's Article 65 dispute resolution process.

A 17-year-old hacker and accomplices used phone spear-phishing attacks against Twitter employees to gain access to internal admin tools, then hijacked high-profile accounts (Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Apple, Uber) to promote a Bitcoin scam that netted over $118,000. The breach exposed severe internal access control weaknesses and raised questions about how many employees had god-mode access to user accounts.

Twitter admitted that phone numbers and email addresses provided by users for two-factor authentication had been inadvertently used for advertising targeting since 2014. The company said it had matched security contact information to advertiser audience lists through its Tailored Audiences system, affecting an estimated 140 million users. This practice later formed the basis of the FTC's $150 million fine in 2022.

Twitter disclosed that a bug in its iOS app had shared some users' precise location data with an unnamed advertising partner. The data was collected even from users who had enabled location sharing only for features like tweet geotags. Twitter said the bug had been fixed and the partner had been asked to delete the data.

Twitter updated its privacy policy globally in response to the EU's General Data Protection Regulation (GDPR) taking effect. The revised policy expanded disclosures about data collection practices, third- party data sharing, and international data transfers. Twitter also introduced new privacy controls and a downloadable data archive for all users.

Twitter disclosed that a bug had caused all 336 million users' passwords to be written in plaintext to an internal log before being hashed. The passwords were stored in readable form on internal systems and could have been accessed by employees. Twitter urged all users to change their passwords and said it had fixed the bug and found no evidence of misuse.

Twitter quietly abandoned its support for Do Not Track, ceasing to honor the browser signal it had championed since 2012. Simultaneously, Twitter expanded its data retention window for ad impressions from 10 days to 30 days, enabling more extensive user profiling for advertising purposes.

The Syrian Electronic Army hacked the Associated Press's verified Twitter account and posted a fake tweet claiming two explosions at the White House had injured President Obama. The tweet briefly crashed the S&P 500 index, wiping approximately $136 billion in market value before it was identified as a hoax within minutes.

Twitter disclosed that approximately 250,000 user accounts were compromised in a sophisticated attack that accessed usernames, email addresses, session tokens, and encrypted/salted passwords. Twitter reset the passwords of all affected accounts and warned the incident was not the work of amateurs.

Twitter became the first major social media platform to support the Do Not Track (DNT) browser header, honoring users' privacy preferences by not collecting browsing data from third-party sites for ad targeting. The move was praised by privacy advocates and the FTC as a model for the industry.

The FTC finalized a consent decree barring Twitter for 20 years from misleading consumers about the security of their personal information. Twitter was required to implement a comprehensive information security program subject to independent audits every two years. The order stemmed from the 2009 breaches that exposed administrative controls over all user accounts.

A second breach occurred when a hacker compromised a Twitter employee's personal email account, which used the same or similar password as their Twitter admin credentials. The attacker accessed internal company documents and employee accounts. This incident, combined with the January breach, became central evidence in the FTC's 2011 case.

A hacker used a dictionary-based password-guessing tool against Twitter's admin panel and gained control of approximately nine high-profile accounts, including President-elect Barack Obama's. The attacker posted unauthorized messages and accessed private DMs. Twitter had no rate-limiting or lockout protections on the admin interface.