Rosie Struve; Getty Images
After reports in late 2022 that hackers were selling stolen data to 400 million Twitter users, researchers now say a widely circulated treasure trove of email addresses linked to around 200 million users is likely a version refined from the greatest treasury with duplicate entries removed. The social network has yet to comment on the massive exposure, but the data cache clarifies the severity of the leak and who may be most at risk as a result.
From June 2021 to January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to submit contact information such as email addresses and receive the associated Twitter account, if necessary, in return. Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn’t give hackers access to passwords or other sensitive information like DMs, it exposed the connection between Twitter accounts, which are often pseudonymous, and email addresses. email and phone numbers linked to them, potentially identifying users.
While it was live, the vulnerability was apparently exploited by multiple actors to create different collections of data. The one circulating in crime forums since the summer included the email addresses and phone numbers of about 5.4 million Twitter users. The massive, newly resurfaced hoard appears to contain only email addresses. However, the widespread dissemination of data creates the risk that it fuels phishing attacks, spoofing attempts, and other individual targeting.
Twitter did not respond to WIRED’s requests for comment. The company wrote about the API vulnerability in an August disclosure: “When we learned of this, we immediately investigated and fixed it. At that time, we had no evidence to suggest anyone had taken advantage of The vulnerability Apparently Twitter’s telemetry was insufficient to detect the malicious scraping.
Twitter is far from the first platform to expose data to mass scraping via an API flaw, and it’s common in such scenarios that there are Confusion over how many distinct data treasuries actually exist as a result of malicious exploitation. These incidents are important nonetheless, as they add more connections and validation to the huge mass of stolen data that already exists in the criminal ecosystem around users.
Obviously, several people knew about this API vulnerability and several people picked it up. Did different people scratch different things? How many treasures are there? It doesn’t matter,” says Troy Hunt, founder of breach tracking site HaveIBeenPwned. Hunt ingested the Twitter dataset into HaveIBeenPwned and says it represented information on over 200 million accounts. Ninety-eight percent of email addresses had already been exposed in past breaches recorded by HaveIBeenPwned. And Hunt says it has sent notification emails to nearly 1,064,000 of the 4,400,000 million subscribers to its service.
“It’s the first time I’ve sent a seven-digit email,” he says. “Nearly a quarter of my entire follower corpus is truly meaningful. But because so much of that was already there, I don’t think it will be an incident that will have a long tail in terms of impact. But it can de-anonymize people. What worries me the most are people who want to maintain their privacy.
Twitter wrote in August that it shared the concern that users’ pseudonymous accounts could be linked to their real identities due to the API vulnerability.
“If you are operating a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” the company wrote. “To keep your identity as veiled as possible, we recommend that you do not add any publicly known phone number or email address to your Twitter account.”
For users who had not yet linked their Twitter handles to the engraver’s email accounts at the time of the scraping, the advice comes too late. In August, the social network said it was notifying potentially affected people of the situation. The company did not say if it would make any further notification in light of the hundreds of millions of records exposed.
Irish Data Protection Commission said last month that it is investigating the incident that produced the hoard of 5.4 million email addresses and phone numbers of users. Twitter is also being investigated by the US Federal Trade Commission over whether the company violated a “consent decree” that required Twitter to improve its privacy and data protection measures. users.
This story originally appeared on wired.com.
0 Comments