The account details of some 200 million Twitter users were posted on a hacker forum for free
In July 2019, the United States Conference of Mayors unanimously adopted a resolution not to pay any more ransom demands to hackers following a ransomware attack. Cybersecurity experts heralded the decision, and numerous companies have also taken a stance that a ransom should never be paid – as doing so will only likely result in future attacks from bad actors.
Last month, Twitter essentially ignored the calls for a ransom to be paid after data from hundreds of millions of users was stolen following a breach. This week, the account details of some 200 million records were then posted on a hacker forum for free. Some of the popular and known names and entities include Sundar Pichai, Donald Trump Jr., SpaceX, CBS Media, the NBA, and the World Health Organization.
As previously reported, the database was 63GB and it included account name, handle, creation date, follower count, and even email address. Researchers have warned that the leaked data could be used to hack Twitter users’ accounts, and could also be used for social engineering or “doxxing” campaigns.
What is notable is that this latest breach is hardly getting much attention.
“It’s tempting to shrug and say ‘that’s life in the big city,” said David Maynor, senior director of Threat Intelligence at cybersecurity firm Cybrary. “How many people in this Twitter breach are having their data exposed for the first time? I have free credit monitoring for life, based on all the breaches my data has shown up in.”
The API Issue
Understanding the significance also requires understanding how the breach actually occurred, and what users can expect to come next.
“API security is the real story here,” suggested Sammy Migues, principal scientist at Synopsys Software Integrity Group.
The Application Programming Interface (API) is essentially the way for two or more computer programs to communicate with each other. Security is especially important for any public-facing API, and more secure systems often require users to be assigned an API key. Without that key, the services refuse to serve data.
That wasn’t apparently the case with Twitter.
“As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices,” noted Migues.
This is now just the latest example of how an unsecured API that developers design to “just work” can remain unsecured because when it comes to security, what is out-of-sight is all too often out-of-mind.
“Humans are terrible at securing what they can’t see,” said Jamie Boote, associate software security consultant at Synopsys Software Integrity Group
The issue is that this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero-trust architectures.
“It’s also growing faster than the time there is available to do threat modeling and skilled security testing,” warned Migues.
Twitter has also been down this road in the past.
“In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address,” Boote added. “Several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date, and other information available on a Twitter profile.”
That particular issue was fixed last year, and it appeared that may have been the last of it.
“After all that, Musk bought Twitter, and dumps of these started showing up for sale as hackers were looking to get paid for their efforts,” said Boote. “It appears as though someone collected a bunch of these, and tried to get Musk to pay up for them.”
As that didn’t happen, the data has been leaked to the world. The question is what could come next.
A Lingering Concern?
For many Twitter users – this could now be a problem that won’t go away. If nothing happens immediately, many users may even assume they’re in the clear – only to have something bad happen down the line.
“A major concern here is that affected users will suffer from account takeover,” explained Benjamin Fabre, CEO at security provider DataDome.
When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims.
“These often go undetected for a long time because logging in isn’t a suspicious action,” warned Fabre. “It’s within the business logic of any website with a login page. Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft.”
It will be important for those who believe they may have their data compromised to remain vigilant.
“As always, malicious actors have your email address,” Boote suggested. “To be safe, users should change their Twitter password and make sure it’s not reused for other sites. And from now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”
