At a glance.
- Twitter breach proves worse than it seemed.
- It could take more than an Allen wrench to fix this.
- Bug exposes GameStop customer data to other users.
- Australian data discovered on the digital underground.
- Meta's GDPR fine.
Twitter's expanding data incident.
Security Affairs reports that last year’s massive Twitter data breach, caused by a bug that was patched in January, was actually larger than initially thought. While it was originally believed that the breach was the work of just one attacker, researchers have discovered evidence that more than one hacker likely exploited the zero day vulnerability, as it appears the same data have been published for sale on the dark web by a number of sources. The flaw in question, which was caused by a June 2021 upgrade, exposed the identities of pseudonymous accounts by allowing an intruder to use a known user's phone number or email address in order to determine whether it was linked to an active Twitter account. Though Twitter patched the vulnerability, it had apparently been exploited before being resolved, and this past July a user on popular underground website Breached Forums offered to sell data belonging to around 5.4 million Twitter users for $30,000. Just last week, a researcher discovered the same data offered for free on the dark web.
Making matters worse, as Bleeping Computer explains, security expert Chad Loder has found an even larger, previously unknown data dump containing tens of millions of Twitter records allegedly created using the same vulnerability. The data consist of personal phone numbers and public information including verified status, account names, Twitter ID, bio, and screen name. What’s more, the person responsible for the first breach, a hacker known as Pompompurin, says he is not behind this new breach, indicating more than one actor has exploited the bug. Loder shared on Twitter, "I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021."
Brian Johnson, Chief Security Officer at Armorblox, describes what follows exposure of phone numbers and email addresses:
"Breaches that expose email addresses and phone numbers are almost always followed up by targeted phishing and SMiShing campaigns. Given that Twitter has also been in the news a lot recently, attackers might exploit our cognitive biases like recency bias to send out fake password reset emails or SMSes to Twitter users to steal their credentials. Stolen passwords now allow them to try these passwords out laterally across other sites because many users use the same password across different providers. We recommend that users set up multi-factor authentication on all their personal and work accounts, and more specifically, watch out for suspicious emails that appear to be coming from Twitter. This includes verifying the sender email addresses, and any links that are included in the email to make sure that they are indeed related to Twitter."
Richard Bird, Chief Security Officer from Traceable, thinks discussion of the incident shows that APIs remain mysterious to too many security practitioners:
“The timeline and the confusion reflected in Twitter’s statements to the market about its latest breach echo the widespread lack of understanding about the risks associated with APIs, as well as the inability to secure those APIs in a timely manner. Twitter created a pathway to a broken object-level authorization exploit and then believed that no one capitalized on that error. Unfortunately, that has been proven wrong. This is the problem with APIs; when you have no security program around them, bad actions don’t look any different from normal users. Twitter simply didn’t understand the difference between a use case and an abuse case within their code, and this is something that happens regularly to companies of all sizes. This incident should serve as a reminder to the world of how weak API security is within almost every corporation and organization on the planet.”
It could take more than an Allen wrench to fix this.
Ransomware gang Vice Society has posted data they claim were stolen from IKEA stores in Morocco and Kuwait, Cybernews reports. The hacking group’s leak site suggests threat actors obtained confidential business data, and the names of the files indicate some of the data might have been stored in Jordan as well. The popular Swedish-Dutch home goods purveyor operates two stores in Jordan, three in Kuwait, and four in Morocco. File and folder names indicate that sensitive employee data like passport information might also be included. The prolific Vice Society ransomware gang has been operating since at least late 2020 and typically targets entities in the education and healthcare sector, making this breach a bit of an outlier. IKEA has not yet responded to inquiries for comment.
Bug exposes GameStop customer data to other users.
Popular video game retailer GameStop has suffered a data breach that potentially exposed customers’ billing addresses and payment histories, Appuals.com reports. On Saturday, users on GameStop’s website reported on social media that they could view other users’ details while refreshing their purchase pages. The issue appears to have been caused by a bug in GameStop’s user database that allowed customers to unintentionally access other customers’ names, orders, addressees, and potentially even credit card numbers any time a page is refreshed. GameStop has indicated that they’re launching an investigation into the matter. After examining the data, GameStop Customer Care staff say the addresses and names that appeared in consumers’ accounts were only used for testing purposes and were “not actual customer data.“
Australian data discovered on the digital underground.
ABC reports that an investigation has revealed that the highly sensitive information of millions of Australians is being openly traded on the dark web. The data include logins for personal Australian Tax Office accounts, medical and personal data of thousands of National Disability Insurance Scheme (NDIS) recipients, and the sensitive details of the alleged assault of a school student by their teacher in the state of Victoria. At least some of the data were obtained in a May cyberattack on CTARS, a company that provides a cloud-based client management system to NDIS. The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that the 9,800 impacted individuals had been notified about the breach, but many victims say they had not received a notification or even heard of the hack until they were contacted by ABC. After the highly-covered recent breaches of Australian insurer Medibank and telecom provider Optus, the new investigation underscores the fact that Australian data are currently a hot commodity on underground hacker marketplaces. Katherine Mansted, director of cyber intelligence at CyberCX, stated, "There's a criminal's cornucopia of information available on the clear web, which is the web that's indexed by Google, as well as in the dark web. There's a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they're not above buying tools or buying information from criminals either."
Meta's GDPR fine.
The Irish Data Protection Commission has fined Facebook's corporate parent Meta €265 million over a breach that affected personal information of "hundreds of millions" (up to 525 million) of Facebook users, the BBC reports. The case is an unusual one in that most of the data obtained and subsequently dumped on an online forum had been scraped, and not hacked. The Data Protection Commission found Meta in violation of Article 25 of the General Data Protection Regulation (GDPR). The Commission noted in its decision that this wasn't Facebook's first brush with unwelcome and illicit data scraping. The BBC quotes a Facebook spokesman: "We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers. Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge. We are reviewing this decision carefully."
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, thinks it's clear by now that GDPR has regulatory teeth:
“In the early days of GDPR, some wondered if GDPR would be all bark and no bite! I think now the answer is obvious. Millions of Euros in fines have been issued to violators of GDPR. Enterprises spend many millions (billions?) more attempting to comply with GDPR through procedural refinements, compliance monitoring, and tool acquisition. The fact that GDPR codifies data protection standards and associated fines for non-compliance means that more and more enterprises are doing their best to handle, process, and store peoples’ data more safely.
"As in the case Meta the Irish Data Protection Commission found that Meta was in breach of Article 25 of General Data Protection Regulation (GDPR) rules. In addition to the punishment, Meta has also received a reprimand and an order directing it to bring its processing into compliance by taking a number of certain corrective actions within a certain amount of time.
"But consider this: a far worse repercussion is the reputational damage done. Consumers put their faith and trust in enterprises to observe data security and privacy mandates as spelt out by GDPR, and other measures. When organizations fail to do that, customers take notice and subsequently seek out alternative organizations that can better protect them and their sensitive information. How can organizations avoid this far worse fate of damaged reputation? They need to take a data-centric approach to protect their customers’ private, sensitive data through methods such as tokenization, which is quickly becoming the norm in enterprises seeking to go beyond bare-minimum compliance requirements.”