[tylerdurden91]

> "At that time, we had no evidence to suggest someone had taken advantage of the vulnerability. "

This sounds misleading or incompetent. If someone was harvesting data, then logs would indicate how many such login attempts were being made per second/minute/hour/day and the activity would spike in certain days, times, geographical areas to suggest this kind of activity is going on.

Even if the attacker was really careful spreading their activity over long periods of time & routing it via multiple geographical areas, the overall activity would show an uptick before & after the bug.

I find it highly unlikely that a company of the size of Twitter could not ascertain from their internal data that a bug like this was exploited or not.