Rosie Struve; Getty Images
Following reports at the end of 2022 that hackers were selling stolen data from 400 million Twitter users, researchers now have a large number of widely distributed email addresses linked to about 200 million users. The mountain states that it is likely a refined version within a larger mountain with duplicate entries removed. The social network has yet to comment on the massive exposure, but a cache of data reveals the severity of the leak and who may be most at risk as a result.
From June 2021 to January 2022, there was a bug in the Twitter application programming interface (API) that allowed attackers to send contact information such as email addresses and receive associated Twitter accounts, if any. I was. Prior to the patch, attackers exploited this flaw to “scrape” data from social networks. While the bug did not allow hackers to access passwords and other sensitive information (such as DMs), it did prevent hackers from accessing the often pseudonymous Twitter accounts and the email addresses and phone numbers linked to them. connections could be revealed and the user could be identified.
While live, it appears that this vulnerability was exploited by multiple actors to create various data collections. What has been circulating on crime forums since the summer included the email address and phone number of some 5.4 million Twitter users. A large newly discovered treasure trove appears to contain only email addresses. However, the widespread distribution of data creates the risk of facilitating phishing attacks, identity theft attempts, and other personally targeted attacks.
Twitter did not respond to WIRED’s request for comment. I have written Regarding the API vulnerability in the August disclosure: “When we learned about this, we immediately investigated and fixed it. At the time, there was no evidence that anyone had taken advantage of the vulnerability.” , Twitter telemetry appears to have been insufficient to detect malicious scraping.
Twitter is not the first platform to expose data to mass scraping due to API flaws. In such scenarios, confusion about how many different data actually exist is common as a result of malicious exploitation. However, these incidents are still important as they add more connectivity and verification to the large amount of stolen data that already exists in the criminal ecosystem about users.
“Obviously there are multiple people who were aware of the vulnerability in this API and multiple people who scraped it. Different people scraped different things? How many troves? That matters not,” says Troy Hunt, founder of breach-tracking site HaveIBeenPwned. Hunt says he ingests the Twitter dataset into HaveIBeenPwned, which represents information on over 200 million accounts. Email 98% of his addresses were already public in past breaches documented by HaveIBeenPwned. Hunt also said he has sent notification emails to about 1.064 million of his 4.4 million email subscribers on his service.
“It’s the first time I’ve sent a 7-digit email,” he says. “Almost a quarter of the total corpus of subscribers is really important. It could potentially de-anonymize people. I’m more concerned about individuals who want their privacy.”
Twitter wrote in August that it shared this concern about the possibility of users’ pseudonymous accounts being linked to their real identities as a result of API vulnerabilities.
“If you operate a pseudonymous Twitter account, we understand the risks that incidents like this may take, and we deeply regret that this happened,” the company wrote. To obscure your identity as much as possible, we recommend that you do not add publicly known phone numbers or email addresses to your Twitter account.”
However, it is too late advice for users who had not yet linked their Twitter handle to the burner’s email account at the time of scraping. In August, the social network said it was informing potentially affected individuals about the situation. It did not disclose whether
Ireland’s Data Protection Commission said last month it was investigating a mass leak of the email addresses and phone numbers of 5.4 million users. Twitter is also currently under investigation by the U.S. Federal Trade Commission over whether it violated a “consent order” that required Twitter to improve its user privacy and data protection measures.
This story originally appeared on wired.com.
