Approximately 5.4 million records belonging to Twitter Inc. users that were stolen in December have been released for free on a well-known hacking forum.
The breach first emerged in July when a threat actor offered the 5.4 million records for sale for $30,000 on Breach Forums, the successor site to RaidForums. The latter was shut down in April following an international law enforcement operation led by the U.S. Department of Justice.
According to Bleeping Computer, the data stolen includes private email addresses, phone numbers and scraped data. The scraped data includes Twitter ID, name, screen name verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count and profile image URLs.
The data was accessed via a vulnerability in Twitter’s application programming interface fixed in January, but not before it had been exploited. Twitter confirmed the breach in August, saying that it involved a “vulnerability in Twitter’s systems” and that the bug was the result of an update in June 2021.
The immediate issue is the gap between the vulnerability being accessible – in June 2021 and when it was sorted in January and it is possible that even more Twitter accounts were accessed than the known 5.4 million.
Security expert Chad Loder claims to have received evidence of a “massive” Twitter data breach affecting Twitter accounts in the European Union and U.S. that occurred “no earlier than 2021.” While not providing a solid number and having his Twitter account suspended after posting details, Loder claims on Mastodon that data from tens of millions of Twitter accounts may have been collected using the same API.
While much of the data is scraped and is already publicly available, combined with a private email address or phone number, the compiled data could be used by hackers and other miscreants for phishing and other scams. The data could also be possibly used to uncover the identities of private accounts.
“This breach showcases how quickly criminals move whenever there is a vulnerability, particularly in a large social media site,” Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc. told SiliconANGLE. “With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users.”
Malik warned that the data could be used not only to target Twitter accounts, but also to impersonate other services such as online shopping sites, banks, or even tax offices.
The ongoing issues around API security were raised by Jason Kent, hacker in residence at API security firm Cequence Security Inc., who noted that “as our research has held again and again, if you have an unauthenticated API endpoint that retrieves data, the odds of being breached are extremely high.”
“If the endpoint isn’t cataloged but still active, this shadow endpoint can leak massive amounts of data and lead to breaches like this,” Kent explained. “This keeps repeating itself over and over as API data breaches become important in the realm of the attacker.”
Avishai Avivi, chief information security officer at cybersecurity company SafeBreach Inc. agreed, saying that “API attacks are going to become more prominent in the near future and plague the companies relying on APIs for years to come.”
“Because APIs are meant to be used by systems to communicate with each other and exchange massive amounts of data – these interfaces represent an alluring target for malicious actors to abuse,” Avivi added.
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.