After a ransomware infection, the United States Conference of Mayors unanimously voted to stop paying ransoms to hackers in July 2019. Cybersecurity experts heralded the decision, and numerous companies have also taken a stance that a ransom should never be paid – as doing so will only likely result in future attacks from bad actors.
Twitter ignored calls to pay a ransom after the theft of data belonging to hundreds of million of its users. This week the details of more than 200 million accounts were posted to a hacker forum. Sundar Piichai and Donald Trump Jr. are just a few of the well-known names and entities.
The database contained account names, handles, creator dates, followers count and email addresses. The data may have been used by hackers to access Twitter user accounts. Researchers also warned it could be used for “doxxing”, social engineering, or other purposes.
Notable is the fact that attention is not paid to this breach.
David Maynor (senior director of Threat Intelligence, cybersecurity company Cybrary) said that it is tempting to just shrug off and think “that’s normal life in big cities.” How many of the people affected by this Twitter data breach have their data made public for the first-time? Based on the number of breaches that my data was exposed, I am eligible for free credit monitoring throughout my life.
Knowing the significance of the incident requires that you understand how it occurred and what the users can expect in the future.
Sammy Migues (principal scientist, Synopsys Software Integrity Group) stated that API security was the main story.
Application Programming Interface is basically the interface that allows two or more computers to talk with each other. For any API that is public, security is crucial. To make the API more secure, users will need to have an API key. Services won’t be able serve your data without this key.
Twitter was not able to do that.
Migues noted that cloud-native apps are becoming more popular, as well as the world of refactoring monolithic applications into thousands and hundreds of APIs and microservices.
It is just another example of an API that is unsecured and developers have created to work. Security is a matter of sight, not mind.
Jamie Boote from Synopsys Software Integrity Group, an associate security consultant for software security said that humans are bad at protecting what they cannot see.
Problem is, this is happening faster than there are application architects skilled enough to craft secure API and zero trust architectures.
Migues warned that “it’s growing faster than there are time to do threat modelling and skilled security testing.”
This is also the path that Twitter took in the past.
Boote stated that “in 2021, people discovered the Twitter API could also be used to divulge email addresses from other sources. Also leak some semi-public data like tying Twitter handles with this email address.” Many groups used the leaked email dumps to create seed material for handle farms that could collect additional information like follower counts and profile creation dates.
It appeared this particular issue was solved last year.
Boote stated, “After that, Musk purchased Twitter and dumps started appearing for sale because hackers were looking for a way to be paid.” The idea is that somebody collected them all and wanted Musk to purchase them.
The data was leaked because that did not happen. Now the question is: What’s next?
A Lingering Concern?
For many Twitter users – this could now be a problem that won’t go away. If nothing happens immediately, many users may even assume they’re in the clear – only to have something bad happen down the line.
Benjamin Fabre (CEO at DataDome security provider) stated that account takeover is a major problem.
If cybercriminals are able to take over an online account and perform unauthorised transactions without the knowledge of their victims, it is possible.
Fabre cautioned that “these often go undetected until a very long time” because log in isn’t suspicious. It’s part of the business logic for any website that has a login page. Hackers can gain access to personal information, linked credit cards and bank accounts in order to steal identity.
It’s important to be alert for anyone suspecting that their data may have been compromised.
Boote advised that malicious actors can have your email address. Users should reset their passwords on Twitter and ensure that it isn’t used for any other websites. To avoid being phished, you can delete emails appearing to be from Twitter.