Chad Loder, the founder of cyber security awareness company Habitu8, received evidence last week of a massive Twitter breach that may have compromised over 5.4 million accounts in Europe and the US.
Loder took to Twitter to publicize his discovery, but his tweets are now unable to be found on Twitter as his account has since been suspended. Loder noted that compromised accounts included anyone with the “Let others find you by phone” option enabled in their settings. In addition, Loder wrote, “All accounts for the entire country code of France (+33) are listed in the dataset with their mobile numbers.” Included in the data leak that Loder discovered is the account information of celebrities, politicians, and government agencies.
The API vulnerability thought to be the cause of this leak was first reported by HackerOne through Twitter’s bug bounty program in January, revealing that people could identify one’s account if they had the user’s phone number or email address and vice versa. In August, a threat actor with the username “devil” began selling the dataset for $30,000.
But this data looks different than the “Devil’s” August leak.
“I compared this breached data to a sample from the data breach mentioned in the 2022 article. It is NOT the same data. Completely different formats and different affected accounts. Likely multiple actors all exploiting the same vulnerabilities in 2021,” Loder said.
“This breach showcases how quickly criminals move whenever there is a vulnerability, particularly in a large social media site,” explained Javvad Malik, security awareness advocate at KnowBe4, via an email. “With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users. This could be not only to target their Twitter accounts, but also via impersonating other services such as online shopping sites, banks, or even tax offices.”
Researchers warn that API attacks are likely going to become more prominent and will plague the many companies relying on APIs for years to come. This is because APIs are used to communicate between systems and massive amounts of corporate and personal data pass through them.
The one relief factor in an API attack is that the vulnerabilities are unique to each organization. This means that the hackers are not able to exploit the same vulnerability in a different organization. That’s consolation for other businesses who may be concerned about the safety of their APIs but does little to mitigate the damage already done to millions of Twitter users’ private information. It is unclear if Twitter will face fines for the data breach.
