UPDATED 19:04 EST / NOVEMBER 28 2022

SECURITY

5.4M records stolen from Twitter released for free on hacking forum

Some 5.4 million records belonging to Twitter Inc. users that were stolen in December have been released for free on a well-known hacking forum.

The breach first emerged in July when a threat actor offered the 5.4 million records for sale for $30,000 on Breach Forums, the successor site to RaidForums. The latter was shut down in April following an international law enforcement operation led by the U.S. Department of Justice.

According to Bleeping Computer Sunday, the data stolen includes private email addresses, phone numbers and scraped data. The scraped data includes Twitter ID, name, screen name verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count and profile image URLs.

The data was accessed via a vulnerability in Twitter’s application programming interface fixed in January, but not before it had been exploited. Twitter confirmed the breach in August, saying that it involved a “vulnerability in Twitter’s systems” and that the bug was the result of an update in June 2021.

The immediate issue is the gap between the vulnerability being accessible in June 2021, and when it was sorted in January, and it’s possible that even more Twitter accounts were accessed than the known 5.4 million.

Security expert Chad Loder claims to have received evidence of a “massive” Twitter data breach affecting Twitter accounts in the European Union and U.S. that occurred “no earlier than 2021.” Though not providing a solid number and having his Twitter account suspended after posting details, Loder claims on Mastodon that data from tens of millions of Twitter accounts may have been collected using the same API.

Much of the data is scraped and is already publicly available, but combined with a private email address or phone number, the compiled data could be used by hackers and other miscreants for phishing and other scams. The data could also be possibly used to uncover the identities of private accounts.

“This breach showcases how quickly criminals move whenever there is a vulnerability, particularly in a large social media site,” Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users.”

Malik warned that the data could be used not only to target Twitter accounts, but also to impersonate other services such as online shopping sites, banks, or even tax offices.

The ongoing issues around API security were raised by Jason Kent, hacker in residence at API security firm Cequence Security Inc., who noted that “if you have an unauthenticated API endpoint that retrieves data, the odds of being breached are extremely high.”

“If the endpoint isn’t cataloged but still active, this shadow endpoint can leak massive amounts of data and lead to breaches like this,” Kent explained. “This keeps repeating itself over and over as API data breaches become important in the realm of the attacker.”

Avishai Avivi, chief information security officer at cybersecurity company SafeBreach Inc., agreed, saying that API attacks will become more prominent in the near future and plague the companies relying on APIs for years to come.

“Because APIs are meant to be used by systems to communicate with each other and exchange massive amounts of data, these interfaces represent an alluring target for malicious actors to abuse,” Avivi added.

Photo: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.