After reports in late 2022 that hackers were selling stolen data from 400 million Twitter users, researchers now say a widely circulated trove of email addresses linked to some 200 million users is likely a version. refined from the greatest treasure trove with duplicate entries removed. The social network has yet to comment on the mass exposure, but the data cache clarifies the severity of the breach and who may be most at risk as a result of it.
From June 2021 to January 2022, there was a bug in a Twitter application programming interface, or API, that allowed attackers to send contact information such as email addresses and receive the associated Twitter account in return, if would have Before it was patched, attackers exploited the flaw to “scrape” data from the social network. And while the bug didn’t let hackers access passwords or other sensitive information like direct messages, it exposed the connection between Twitter accounts, which are often pseudonymous, and the email addresses and phone numbers linked to them. , which could identify users.
While live, the vulnerability was apparently exploited by multiple actors to build different collections of data. One that has been circulating on crime forums since the summer included the email addresses and phone numbers of some 5.4 million Twitter users. The huge newly discovered trove appears to contain only email addresses. However, the widespread circulation of data creates the risk of triggering phishing attacks, identity theft attempts, and other individual attacks.
Twitter did not respond to WIRED’s requests for comment. The company wrote on the API vulnerability in an August disclosure: “When we learned of this, we immediately investigated and fixed it. At that time, we had no evidence to suggest that someone had taken advantage of the vulnerability.” Twitter telemetry was apparently insufficient to detect the malicious scraping.
Twitter is far from the first platform to expose data for mass scraping via an API flaw, and it’s common in such scenarios for there to be confusion about how many different data troves actually exist as a result of malicious exploitation. However, these incidents are still significant because they add more connections and validation to the massive body of stolen data that already exists in the criminal ecosystem about users.
“Obviously, there are a number of people who knew about this API vulnerability and a number of people who fixed it. Different people scraped different things? How many treasures are there? In a way it doesn’t matter,” says Troy Hunt, founder of breach tracking site HaveIBeenPwned. Hunt ingested the Twitter dataset in HaveIBeenPwned and says it represented information on more than 200 million accounts. Ninety-eight percent of email addresses had already been exposed in previous breaches reported by HaveIBeenPwned. And Hunt says he sent notification emails to nearly 1,064,000 of his service’s 4.4 million email subscribers.
“This is the first time I’ve ever sent a seven-figure email,” he says. “Almost a quarter of my entire body of subscribers is really significant. But because so much of this was already available, I don’t think this is an incident that has a long tail in terms of impact. But you can de-anonymize people. What worries me the most are the people who wanted to keep their privacy.”
Twitter wrote in August that it shared this concern about the possibility of users’ pseudonymous accounts being linked to their real identities as a result of the API vulnerability.
“If you operate a pseudonymous Twitter account, we understand the risks an incident such as this may present and deeply regret this has happened,” the company wrote. “To keep your identity as hidden as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”
However, for users who had not yet linked their Twitter handles to disposable email accounts at the time of scraping, the advice comes too late. In August, the social network said it was notifying potentially affected people about the situation. The company has not said whether it will make any further notifications in light of the hundreds of millions of records exposed.
The Irish Data Protection Commission said last month that it is investigating the incident that produced the trove of 5.4 million user email addresses and phone numbers. Twitter is also currently under investigation by the US Federal Trade Commission over whether the company violated a “consent decree” that required Twitter to improve its users’ privacy and data protection measures.
This story originally appeared on wired.com.
#leak #million #Twitter #emails #means