A hack of over 400 million Twitter users’ data in 2021 continues to surface into 2023.
Twitter targeted in extortion hack.
Among all the reasons Twitter has been in the headlines since its ownership change and reorganization, a new issue emerged at the end of December — the social media giant saw the data of a multitude of users stolen and held for ransom.
Waiting for the perfect time to strike.
The hacker, who goes by the name “Ryushi” in the Breached hacking forum, was claiming to be selling data of over 400 million Twitter users. Those data were obtained in 2021, Bleeping Computer reports. The information was accessible because of a since-patched API vulnerability.
Held for ransom.
Spiceworks reports that the hacker demanded $200,000 in ransom from the social media outlet to delete the data. The alternative, if "Ryushi" isn't paid, is that the data would be sold to buyers willing to fork out $60,000 a copy.
A closer look into data protection at Twitter.
Bloomberg reports that Ireland’s Data Protection Commission began a probe into Twitter on Friday, December 23rd. The agency says that it believes that “one or more provisions” of the EU’s General Data Protection Regulation may not have been adhered to, and may continue to not be adhered to, by the social media giant. If found guilty, GDPR allows for fines of as much as 4% of the annual company sales.
Added, 5:45 PM ET, January 4th, 2023.
Synopsys wrote to offer perspective on API security, which they see as the root cause of the breach. Jamie Boote, associate software security consultant at Synopsys Software Integrity Group said:
“This is a common example of how an unsecured API that developers design to "just work" can remain unsecured because when it comes to security, what is out-of-sight is often out-of-mind. Humans are terrible at securing what they can't see. As always, malicious actors have your email address. To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams.
Sammy Migues, principal scientist at Synopsys Software Integrity Group, notes that the value of the stolen data on the criminal markets seems to have proven negligible:
“API security is the real story here. As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures. It's also growing faster than the time there is available to do threat modeling and skilled security testing. In this case, the lapse in API security resulted in email addresses tied to Twitter accounts and it seems the marketplace has spoken on the value of that data--next to nothing.”
Data in a Twitter profile can be useful in a variety of ways. "In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address. Several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date, and other information available on a Twitter profile." He added some speculation about the timing of the leaks. "This issue was then fixed last year. After all that, Musk bought Twitter, and dumps of these started showing up for sale as hackers were looking to get paid for their efforts. Most recently, it appears as though someone collected a bunch of these — plus combined with some new accounts — and tried to get Musk to pay up for them.”
Added, 2:00 PM ET, January 5th, 2023.
Benjamin Fabre, CEO at DataDome, see account takeover as the most serious risk to emerge from the incident. "A major concern here is that affected users will suffer from account takeover. When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. These often go undetected for a long time because logging in isn’t a suspicious action. It’s within the business logic of any website with a login page," he wrote, in an email. "Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft."