Massive data breach on Twitter worse than reported;  several hacks

Massive data breach on Twitter worse than reported; several hacks

A standard Twitter data breach last year, exposing over five million phone numbers and email addresses, was worse than originally announced. We were shown proof that the same Security the vulnerability was exploited by multiple malicious actors and the hacked data was offered for sale on the dark web by multiple sources.

It was previously thought that a single hacker had accessed the data, and Twitter’s belated admission reinforced that impression…

Background

HackerOne first reported the vulnerability in January, which allowed anyone to enter a phone number or email address and then find the associated twitterID. This is an internal ID used by Twitter, but can easily be converted to a Twitter ID.

A bad actor would be able to build a unique database combining Twitter IDs, email addresses, and phone numbers.

At the time, Twitter admitted the vulnerability existed and was later patched, but said nothing about anyone exploiting it.

Restore Privacy subsequently reported that a hacker had indeed used the vulnerability to get personal data from millions of accounts.

A verified Twitter vulnerability from January was exploited by a malicious actor to obtain account data of allegedly 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum posted earlier today.

Twitter later confirmed the hack.

In July 2022, we learned from a news article that someone had potentially taken advantage of this and was offering to sell the information they had compiled. After reviewing a sample of data available for sale, we confirmed that a bad actor took advantage of the issue before it was resolved.

Massive data breach Twitter plural, not singular

There were suggestions on Twitter yesterday that the same personal data had been accessed by several bad actors, not just one. 9to5Mac has now seen proof that this is indeed the case. We were shown a dataset containing the same information in a different format, with a security researcher stating that it was “definitely a different threat actor”. The source told us this was just one of many files they saw.

The data includes Twitter users in the UK, almost all EU countries and parts of the US.

I got several files, one per phone number country code, containing the phone number <-> Twitter account name matching for the whole country phone number space from +XX 0000 to +XX 9999.

Any Twitter account with Discoverability feature | The phone option activated at the end of 2021 was listed in the dataset.

The option mentioned here is a setting that is quite deeply hidden in Twitter settings and seems to be enabled by default. Here is a direct link.

The bad actors are thought to have been able to download around 500,000 records per hour, and the data has been offered for sale by multiple sources on the dark web for around $5,000.

The security expert who tweeted about it has suspended his account

Another security specialist who tweeted about the issue yesterday had his Twitter account suspended the same day. Internationally recognized IT security expert Chad Loder predicted Twitter’s reaction and was confirmed within minutes.

They told me that several hackers had obtained the same data and combined it with data from other breaches.

There appear to have been multiple threat actors, operating independently, harvesting this data throughout 2021 for phone numbers and emails.

The email-twitter pairings were derived by running large existing databases of over 100 million email addresses through this Twitter discovery vulnerability.

We would reach out to Twitter for comment, but Musk fired the entire media relations team, so…

Photo: Unsplash

FTC: We use revenue-generating automatic affiliate links. After.


Check out 9to5Mac on YouTube for more Apple news:

Leave a Comment

Your email address will not be published.