An estimated 5.4 million Twitter users were affected by an enormous data breach. The accounts contained non-public US and European information. According to reports, the data was stolen via an API vulnerability. It was then shared on a hacker forum. Although the vulnerability is reported to have been resolved, security experts also disclosed another large, more serious data dump of millions on Twitter.
Bleeping computer reports that data obtained from the internet includes scraped public information, private numbers and emails addresses not intended to be publicly. A bug was used by multiple threat actors to steal private information.
HackerOne found the bug earlier in the year during a bug bounty. Although it was addressed, it’s unclear whether that leak had been made.
Javvad Malaya, KnowBe4 security awareness advocate via an email, said that this breach “shows how criminals move quickly whenever there is vulnerability, especially in large social networks.” With so much information, criminals can quite easily make convincing social engineering attacks against their users. They could target users’ Twitter accounts and also impersonate other services like banks, online shopping, tax offices, etc.
Avishai Avivi is a Security Researcher at SafeBreach and CISO. He warned API attacks would become more common over time. This could spell doom for companies who rely on APIs in years to come. This is because APIs are meant to be used by systems to communicate with each other and exchange massive amounts of data – and as a result, these interfaces represent an alluring target for malicious actors to abuse.
Avivi said that API vulnerabilities can be harder to detect, however, once an attacker gains access via an API designed improperly, they are essentially able to access the database of an organization. This is why millions of records will be impacted if an API breach happens.
Moreover, API vulnerabilities also do not need human interaction – such as clicking on a malicious link, or falling for a phishing email).
API vulnerabilities are unique to each organization that uses them. This is a positive aspect. Avivi added that API vulnerabilities are not like other software vulnerabilities. The malicious actor can’t use the same vulnerability against another organization.”
This is unlikely to be of much comfort to the many millions of Twitter users, whose data could now be freed up on the dark internet.
Meta Handled Quarter Billion-Dollar Fine
Notable news about the Twitter breach comes as Ireland’s Data Protection Commission has also handed down $265 million to Meta, parent company of Facebook. This fine was for data breaches that affected millions of Facebook users in 2021. According to reports, the information stolen from Facebook data included telephone numbers, Facebook IDs names, addresses, places, DOBs, email addresses, and phone numbers.
John Stevenson (product director, cybersecurity firm Cyren), sent an email saying that every single Facebook user whose data was posted on hacking forums could be subject to phishing scams using their exposed PII in pursuit of higher credentials.
Stevenson said that although the original data breach occurred in 2021 it was encouraging to see retrospective fines. The consequences of this case will hopefully encourage others to adhere to cyber regulations.
Twitter may face a similar penalty for the data breach that it has just disclosed.