Social Media Users in the Light of Twitter Security and the 2021 Twitter Vulnerability (Cyabra, pwn.com)
As a result of the apparent leak, verified users with large followings will be valuable targets as they may be at risk of being extorted or even lose their jobs, security experts warned.
“Bad actors have won the jackpot,” said Rafi Mendelsohn, a spokesman for Cyabra, a social media analysis firm focused on identifying disinformation and inauthentic online behavior. Private data such as emails, handles, and creation date can be used to build sophisticated hacking campaigns.
The origin of the database seems to be traced back to 2021, reports The Washington Post, when hackers discovered a vulnerability in Twitter’s security systems. The flaw allowed malicious actors to automate account lookups — entering email addresses and phone numbers en masse to see if they were associated with Twitter accounts.
Troy Hunt, a security researcher, said Thursday that his analysis of the data “found 211,524,284 unique email addresses” that had been leaked. The Washington Post reported on a forum that listed the data of 235 million accounts.
CNN asked whether the records would be added to haveibeenpwned.com, a website that allows users to search hacked records in order to find out if they have been affected. CNN has not independently verified the records’ authenticity.
Last summer, Peiter Zatko, the former head of security at the company, filed a report with the US government about alleged security vulnerabilities in the company. Zatko claimed that Twitter’s shortcomings on security reflected a breach of Twitter’s binding commitments to the Federal Trade Commission, a serious offense. (Twitter broadly and repeatedly pushed back at Zatko’s allegations.)
Pwned, Bleeping, and Twitter are aware of the July 2022 hack and European data privacy criterion (extended version)
To protect themselves from phishing attempts, internet users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. Multi-factorauthentication can be enabled, and caution should be exercised when opening email or links.
According to the cybersecurity news outlet BleepingComputer, which did claim to test the data, the latest dump appears similar to a leaked dataset advertised on hacking forums in November containing an alleged 400 million records, but slimmed down to eliminate some duplicate records. The leak has not been commented on by the micro-blogging site.
In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it is investigating the July 2022 leak as a possible violation of Europe’s signature privacy law, known as GDPR.
Successive incidents have led to the company signing two consent orders with the FTC. FTC orders can lead to fines, restrictions and even sanctions against individual executives.
Alon Gal, co-founder of Hudson Rock, said in a post about the hack that it is one of the most significant leaks he has seen. “[It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”
The breach has now been added to Have I been Pwned’s systems, meaning anyone can visit the site and enter their email address to see if it was included in the database.
WIRED Comments on Twitter’s Security Vulnerability, and the Response of a Seven-figure Email to a Wired User
Twitter did not reply to WIRED’s requests for comment. In an August disclosure the company wrote that they fixed the vulnerability after they learned of it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” Seemingly, Twitter’s telemetry was insufficient to detect the malicious scraping.
He says it is the first time he has sent a seven-figure email. “Almost a quarter of my entire corpus of subscribers is really significant. I don’t think this incident will have a long tail in terms of impact because so much of it was already out there. It may change the way people are seen. The thing I’m more worried about is those individuals who wanted to maintain their privacy.”