At a glance.
- Twitter cancels a network of fake accounts that was matching usernames with phone numbers.
- An email marketing firm may have left more than fifty-million records exposed to the Internet.
- A transit service exposes customer email addresses by incautiously sending an email to a group of them.
Twitter finds fake accounts exploiting an API.
Twitter said yesterday that a network of "fake accounts" had been exploiting its API to match usernames with phone numbers. The problem was discovered on December 24th, and Twitter now believes it has enough of a handle on the problem to disclose it to users. The feature the inauthentic accounts were abusing was the one that gave users the option to “Let people who have your phone number find you on Twitter.” It's intended as a means of letting new users find friends, colleagues, and acquaintances on the social platform.
Twitter began its investigation of the issue after TechCrunch reported that a researcher had demonstrated the ability to match phone numbers with usernames, and to do so in bulk. Twitter says it's fixed the vulnerability that enabled exploitation of this particular API. It also suspended the fake accounts. The story may have an espionage dimension. “We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter wrote on its Privacy site, adding, “It is possible that some of these IP addresses may have ties to state-sponsored actors.”
Report: exposed database reveals 51.2 million records.
Email marketing firm Pabbly, based in Bhopal, India, is said to have inadvertently left an email database exposed to the Internet for both inspection and editing. Researcher Jeremiah Fowler reported the exposure. He said he disclosed it to Pabbly but received no response to his communication. TechNadu points out that companies in the state of Madhya Pradesh are required by law to report data breaches to the authorities. Pabbly's email marketing business is an international one, and the company claims that more than 100 thousand businesses use its services. Any consequences of an exposure wouldn't be confined to India.
An email can constitute a breach.
Yarra Trams, a commuter service in Australia's state of Victoria, inadvertently exposed the email addresses of ninety-one customers by the simple act of sending a single email to all of them, with every addressee's address plainly visible, the Age reports. In a way this adds injury to insult: the email was sent to inform them that their claims for compensation over services Yarra Trams failed to provide had been denied. An attempt to recall the email fifteen minutes after it was sent only made matters worse by repeating the same mistake the initial message made.