• by Wendy Davis  @wendyndavis, January 16, 2023

A New York resident has sued Twitter over a security vulnerability that allegedly exposed the personal information of 200 million users.

The social media platform “deceived Twitter users and exposed them to a multitude of harms,” Stephen Gerber alleges in a class-action complaint filed Friday in U.S. District Court for the Northern District of California.

The complaint stems from reports that a flaw in Twitter's application programming interface exposed Twitter usernames combined with email addresses and phone numbers for around 200 million people. A purported database of the usernames, combined with email addresses and other information, surfaced online late last year.

The flaw allegedly existed between June of 2021 and January of 2022, before Tesla CEO Elon Musk took ownership of the social media company.

“Because of the anonymized, pseudo-anonymized and confidential nature of Twitter...these Twitter users were not only misled by Twitter into thinking that they would remain publicly anonymous if they chose to do so, but that the PII [personally identifiable information] underpinning their accounts would also remain safely guarded by Twitter,” Gerber alleges.

The complaint includes claims that Twitter was negligent, and that it violated its representations to users.  

Gerber says he used a pseudonym on Twitter “in order to protect his identity so that he could express himself and his thoughts on Twitter without fear of retribution, retaliation or embarrassment from employer(s) and his peers.”

He adds that had he known that Twitter would allow personal information to be exposed “he either would not have provided his email address or other identifying information to Twitter or he otherwise would not have used Twitter at all.”

Gerber is seeking monetary damages and an injunction requiring Twitter to encrypt data, among other measures. 

The Federal Trade Commission previously brought two enforcement actions against Twitter over privacy. The first, which stemmed from a hacking incident, resulted in a 2011 consent decree. In the second case, the FTC alleged that Twitter violated the consent decree by asking users for their phone numbers and email addresses for security purposes, then harnessing that data for ad targeting. Twitter agreed to resolve that matter by paying a $150 million fine and entering into a revised agreement with the agency.