It would be more honest to say "We aren't able to determine whether it was exploited" which could better brace potentially impacted users for the possibility they might be affected.

This is a relatively benign case but the same language is used in other breaches when people should be taking measures like freezing their credit or reviewing financial transactions.

How can anyone make any assertions about unknown unknowns?

It's one thing to say "My car was stolen", and another to declare "I am unable to determine if it's en route to the Taliban."

That isn't a reasonable analogy in any way.

The only thing that could happen with the data would be that it is exploited.

The only thing that happens to stolen cars is not going to the taliban.

These are not even similar in nature. They aren't saying "the data was stolen". They also aren't saying "the data was available for exploit we are unable to determine if that occured."

What if they never looked for evidence of unauthorized access? They wouldn't have any!

This is the same as modern science and medicine frequently using this academic phrase, no evidence, when what they mean is that there has been no investigation.

It's more like saying "I left my car in a shady neighborhood unattended for 72 hours with the doors open and the key left in the ignition but I haven't been keeping track of the millage or the fuel level so I'm not aware that anyone used it while I was away."

Nothing would have stopped someone from using it. Probably best to assume that they have.

You can make positive assertions though. E.g. attack might have been simple in which case it's possible to produce indicators that cover 100% of variants. Or it could have been complex and indicators either don't cover every possible attack or they produce large number of false positives.

Another thing to mention would be how long in the past you were able to look. E.g. in this case they have found out that the bug was introduced in 2021, were they able to inspect logs covering all of that period or did they only had limited logs/other evidence so it's impossible to know whether anyone used this opportunity or not?

Its not an unknown unknown. If there's a vulnerability and you're a hot target, you know there's a decent chance of getting exploited.

How about we don’t use terse language and a short blog post to describe a complex thing and instead talk about what happened, what you did to investigate, WHY you couldn’t determine if it was exploited, and what the heck you intend to do about it? How about some facts and transparency? How about some real honesty?

> instead talk about what happened, what you did to investigate, WHY you couldn’t determine if it was exploited, and what the heck you intend to do about it?

This will be read by optimistically 1% of people, the rest will just catch the summary. This way, you at least get to write the summary.

"At this time, there is no obvious evidence of malicious activity"

Well, “after investigating by <insert actual efforts taken here>, we were unable to find evidence it was exploited” would be a good start, as it would indicate some effort was put into disproving the hypothesis.

It provides close to nothing, because it doesn't indicate whether there was no evidence because there could be no evidence - you keep no logs - or whether there was no evidence in spite of the fact there definitely should be if it was exploited because of copious information kept that would show it.

I'm 100% certain they did put in actual effort. If you're so keen on knowing, there's a form at the bottom you can use to ask them.

Then they should share a bit about what they researched and how confident they are one way or another.

Seems like a fair expectation to have, to me.

"we have no way of knowing" is a much more informative statement than "we have no evidence", but it belies fallibility on the part of the speaker.

“We have no evidence” strongly implies some sort of extensive forensic dance was performed, and was fruitless. “We have no way of knowing” sounds much more like epistemological resignation. “Evidence” is a pretty loaded word to use.

"We have no way of knowing" may not be correct statement. There could always be a way to know that you may have missed. It would be inhuman to claim "we have no way of knowing" in circumstances like this.

Fair enough, perhaps to be more specific they could say "we have not kept sufficiently detailed logs to determine what happened"

The burden of proof should fall on them to demonstrate that it wasn't exploited.

Otherwise, the reasonable thing to do is to assume that it was exploited, because they have no evidence to show that it wasn't.

The phrase is a psychological trick because it creates the illusion that the burden of proof falls on the other side.

You can't prove a negative.

There is no greatest prime number.

If there were, call it p, and let q = Π(P), P∈N:P is prime (Eratosthenes showed this is computable)

Then q+1 % 1 modulo every lesser prime, meaning q+1 is prime, and p is thus not the greatest prime.

There you go. We have just proven a negative.

In which case, the second paragraph applies.

But then you might as well just assume everything is compromised, at all times, even if there's been no announcement. They could just not be telling you.

Which is maybe not the worst strategy, but it's going to be pretty exhausting.

I'd suggest that instead we should just expect and enforce a certain amount of openness and honesty from companies when they fuck up in this way, so we can make informed decisions.

Well, yes - this is the dilemma which is not resolved with empty platitudes, even though "you can't prove a negative."

In the US and elsewhere, there are already some penalties for covering up a problem, and they should be expanded commensurately with the potential harm.

I mean in practice what it tends to mean is the logs only had a 3 month ttl so really could be either way. "no evidence" implies there is at least a place there could have been evidence, they looked, and didn't find any, which is a weak but nonzero update towards it having not happened. It would be nice if they clarified exactly what they checked.

> "no evidence" implies there is at least a place there could have been evidence, they looked, and didn't find any

Yeah I'd never assume that any of that is true. Sure, there probably are ways twitter could find out if something has been being exploited like evidence in server logs or new batches of accounts showing up for sale on the black market, but I wouldn't trust that they looked for them, or that they looked very hard, or that the person making press statements was told about it either way.

If a company has a financial incentive to not find information it's weird to assume they'd seriously look or be trusted to be honest about what they found.

’We have no proof this wasn’t exploited’

Other purpose than being a psychological trick, what purpose could pointing out the lack of evidence at the time have? Instead they could have written something like "We found the problem in 2021 and promptly fixed it. We first learned that it has been exploited in 2022."

The phrasing is a bit more specific.. "At that time, we had no evidence.."

It could also mean "oh I spent five minutes looking into it and didn't see any evidence"

thats a lawyered up comment

As are most PR statements by companies when discussing breaches publicly.